[Dataloss] CEOs deserve jail for data breaches

James Ritchie, CISA, QSA james_ritchie at sbcglobal.net
Wed Apr 9 14:12:46 UTC 2008 

Each company in the US has a Fiduciary responsibility to protect the 
data within perimeter. This has been established under several items: 
Model Business Corporation Act (ABA created and adopted by many states), 
Federal Rules on Civil Procedures, US Sentencing Guidelines, and 
others.  These issues have defined governance and actions the 
accountability of senior management while protecting the data (see my 
article scmagazineus.com "Global Security Concerns 
<http://www.scmagazineus.com/Global-security-challenges/article/108580/>").  
In many cases, management sets the tone-at-the-top, determines what is 
to be spent, and is held accountable to the stockholders ( or principals 
of the business). What I expect to see, is a very savvy attorney turn a 
breach into a civil suit, naming the Cxx of the company for failure to 
preform their due diligence and due care of protecting the data that was 
entrusted to them.

Jeff wrote:
> Putting a CEO in jail for a data breach would be ridiculous unless the
> person were directly responsible for releasing the protected information.
> Jails are already over crowded and this would not solve the problem.
> Generally, it's hard to find people more clueless about IT than a CEO! Data
> breeches need to be more publicized, companies should be fined heavier based
> on the amount and severity of the data loss. There should also be monetary
> compensation to the victims built into the law. This would eliminate the
> need for court proceedings and add to the total fine and therefore risk to
> the organization. At this time, there isn't much action because the majority
> of people are not vocal about this issue and that makes political and
> corporate leaders feel that the issue is not important enough to spend time
> and money correcting.
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
> On Behalf Of security curmudgeon
> Sent: Wednesday, April 09, 2008 4:33 AM
> To: dataloss at attrition.org
> Subject: [Dataloss] CEOs deserve jail for data breaches
>
>
>
> ---------- Forwarded message ----------
> From: InfoSec News <alerts at infosecnews.org>
>
> http://www.techworld.com/security/news/index.cfm?newsID=11924
>
> By John E. Dunn
> Techworld
> 08 April 2008
>
> A growing number of security pros believe that the way to stop data breaches
> from happening is simple as it is stark - send the CEOs or board members
> deemed responsible to jail.
>
> The opinion emerged from a survey by security mainstay Websense at the
> recent UK e-Crime Congress, which polled 107 security professionals on their
> opinions. Seventy-nine percent believed that companies should be fined for
> data breaches . something that does already happen in some cases in the UK .
> while 59 percent were in favour of compensation for consumers affected by a
> breach.
>
> The most striking view of all was that the time had come to punish serious
> data breaches with jail time for senior staff, with 25 percent rating that
> as a necessary step. Only three percent were against any form of
> legally-enforceable punishment.
>
> [..]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 7.5.519 / Virus Database: 269.22.10/1366 - Release Date: 4/8/2008
> 5:03 PM
>  
>
> No virus found in this outgoing message.
> Checked by AVG. 
> Version: 7.5.519 / Virus Database: 269.22.10/1366 - Release Date: 4/8/2008
> 5:03 PM
>  
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>   

-- 
James Ritchie
CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+
Linkedin http://www.linkedin.com/pub/1/b89/433 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080409/ea25a34e/attachment-0001.html

More information about the Dataloss mailing list