Regulators Want CEOs To Go To Jail For Cyber Failings, Should You?
Cybersecurity and data privacy are significant public interest issues. There’s little doubt that the companies we choose to do business with can be doing a much better job at protecting the data we entrust them with. So why aren’t they?
Sen. Elizabeth Warren and other regulators think it’s because corporate executives have no personal accountability on the issue.
They may be right. A recent study from Warwick Business School of US breaches between 2004 and 2016 actually found that CEOs “…were more likely to receive an increase in total and incentive pay several years after a security breach.”
Sen. Warren just proposed legislation that would change that, the Corporate Executive Accountability Act. The Bills stated purpose is “…to establish criminal liability for negligent executive officers of major corporations…that affects the health, safety, finances or personal data… ” of a significant number (not less than 1%) of individuals in the United States.
In her press release she comments:
Corporations don’t make decisions, people do, but for far too long, CEOs of giant corporations that break the law have been able to walk away, while consumers who are harmed are left picking up the pieces.
Her proposed legislation is clearly in response to the large data breaches of the last several years, breaches that are getting larger, from Target to Equifax to Marriott. Do something bad enough, long enough, especially on an issue that’s clearly in the public interest and regulators will do their thing…regulate it.
That’s where we are at on cybersecurity and data privacy in corporate America. Regulators want to put this issue squarely on the shoulders of corporations and their leaders and to hold them accountable for protecting the public interest on the information we entrust them with.
While corporate directors already have a fiduciary duty to these issues, there is little precedent in the legal system holding executives to any clear standard of accountability on this fast-moving issue. Greenberg Traurig LLP Attorney Paul Ferrillo says that in order to meet this fiduciary duty:
“Directors can’t sit on the sidelines and just assume everything is fine and dandy when it comes to cyber. They can’t just rely on their internal IT executives. They generally need to do something.”
However, where laws or standards are not enforced or applied, for all practical purposes, there is no law. Regulators want to clarify and change that by putting a new and clear standard of accountability on the back of CEOs.
A Disney shareholder proposal this year also attempted to connect CEO pay to cybersecurity. The company recommended it be voted against, and it was. A similar proposal was put forward last year by a Verizon shareholder, it was also defeated.
It’s not like Warren and others aren’t overstating the critical nature of this issue either. Earlier in 2019, The World Economic Forum once again declared cybersecurity risk as an existential technology risk as part of their 2019 Global Risk Report. Warren and other regulators have an issue with who’s doing something about it, and they think that someone needs to be America’s corporate leaders. Regulators will force action where corporate leadership continually fails on issues of significant public interest — that’s inevitable — and corporate America’s ongoing cybersecurity failings are almost guaranteeing a heavy-handed regulatory response.
After the Marriott breach only six months ago, Senator Ron Wyden (D-Oregon) published a discussion draft of the FTC’s Consumer Protection Data Act also aiming to increase accountability at the CEO level. His proposal required a CEO and CISO certification to a Certified Annual Data Protection report and civil and criminal penalties of at least $5 million and 20 years in prison for intentionally certifying an erroneous report.
The Cybersecurity Disclosure Act of 2019 is also back for its third act. Originally proposed by the bi-partisan team of Jack Reed (D-RI) and Susan Collins (R-ME) this proposed amendment to the Securities Exchange Act would require companies to disclose if they have cybersecurity skills on their corporate board. That’s it, simple disclosure. It died, but was resurrected in 2017 and now again in 2019. The 2019 iteration has picked up five additional bi-partisan co-sponsors.
While regulators and CEO’s get their acts together on this issue, consumers are the ones who pay the price. While consumers can always vote with their wallets or time and choose not to do business with companies that put their data at risk, how do they know? How does the average consumer know whether a company is dedicating the proper attention and resources to these issues? How does the average citizen know whether they can trust any particular company and what their cyber hygiene practices are? They don’t, but consumers have been kept waiting before on significant matters of public interest, like around food safety.
In 1934 the FDA and the U.S. Public Health Service created the first “Restaurant Sanitation Program.” This was a voluntary set of food regulations that led to food service inspections, an improvement in food hygiene and the A, B and C grades and signs seen in many restaurant windows today.
Similarly to food hygiene, it is possible to assess cybersecurity and data privacy practices against an acceptable standard, it’s just not being done. But why shouldn’t it be? While it’s no guarantee that a breach wouldn’t happen, it would improve how companies approach this issue to strengthen protections and improve trust, thereby improving the public interest as well as protecting the assets of the corporation. It’s a win-win-win-win.
At the RSA conference this year, the world’s largest cybersecurity and risk conference, RSA executives envisioned a future in which companies have a digital risk score — a component measure of collective trust and risk that would become a cornerstone of a “trust enabled world.”
Companies can take common-sense steps today on this issue, but not enough are. Steps like putting cybersecurity skilled directors on their corporate boards and moving cybersecurity oversight out from underneath the audit committee. Training directors and employees on basic cybersecurity awareness issues and adopting frameworks like the NIST Cybersecurity Framework are also simple common-sense steps.
These are reasonable and low-cost starting points. While regulators and the legal process takes time to protect consumer and stakeholder interests, perhaps the only court that truly matters on this issue is the court of public opinion. Consumers deserve better, and should demand it, a “trust enabled world” isn’t possible without it.