Elizabeth Warren wants jail time for CEOs in Equifax-style breaches

by Timothy B. Lee, Ars Technica

Courtesy of Pexels // Markus Spiske

Courtesy of Pexels // Markus Spiske

In 2017, criminals stole the personal data of about 143 million people from the credit rating system Equifax. It was a huge embarrassment for the company and a headache for the millions of people affected. Equifax’s then-57-year-old CEO Richard Smith retired in September 2017, weeks after the breach was discovered, with a multi-million dollar pay package.

Massachusetts US Senator turned Democratic presidential candidate Elizabeth Warren wants to make sure that CEOs who preside over massive data breaches in the future don’t get off so easily. On Wednesday, she announced the Corporate Executive Accountability Act, which would impose jail time on corporate executives who “negligently permit or fail to prevent” a “violation of the law” that “affects the health, safety, finances or personal data” of 1 percent of the population of any state.

A CEO could get up to a year in prison for a first offense. Repeat offenders could get three years.

The penalty only applies to companies that generate more than $1 billion in annual revenue—Equifax had $3.4 billion in revenue in 2017. It also only applies to companies that are either convicted of violating the law or settle claims with state or federal regulators. Equifax may qualify on this score, too, since the company signed a consent decree with state regulators last year.

With that said, it seems that most data breaches probably wouldn’t trigger criminal penalties under the proposed new law. A CEO would only face jail time if a data breach was the result of illegal activity by the company and if prosecutors can show that the CEO was negligent in failing to prevent it. And under current law, merely being the victim of a data breach isn’t a crime.

While federal laws on data breaches are not very strict, states have enacted a variety of laws on the subject, and some may pass stricter laws in the future. So if a company’s data-management practices violate a single state’s laws and result in a breach affecting 1 percent of the state’s population, that could be enough to trigger personal criminal liability for the company’s CEO.

Read more at Ars Technica →