Andrea Danti - Fotolia
Data breach legislation proposes jail time for CIO, HR execs
Sen. Elizabeth Warren takes a swing at corporate negligence in new legislation that may create jail risk for the C-suite. The bill is unlikely to advance, however.
Data breaches caused by negligence may lead to jail time for corporate executives under legislation introduced last week by U.S. Senator Elizabeth Warren (D-Mass.).
Warren's bill is unlikely to advance in the Republican-controlled Senate. But it does provide insight into what she would seek as president to curb data breaches. "Jail time," Warren tweeted, after introducing her bill, which broadly attacks corporate fraud and negligence. Warren is campaigning for the 2020 Democratic presidential nomination.
The data breach legislation is clearly aimed at C-suite executives, but it may go deeper than that, according to some legal experts. It could create peril for a range of high-level executives, such as an executive who serves as director of HR or as CIO.
The data breach legislation applies to firms with an annual revenue of $1 billion or more. To trigger a jail risk threshold, the breach must impact the personal data of 1% of Americans or 1% of the population of any state. One percent of the U.S. population is about 3.27 million people.
Such a low threshold could mean trouble for private -- and public -- organizations. Marriott International Inc., for instance, disclosed last year that a breach of its Starwood guest reservation database exposed some 500 million consumer records. Another example: In 2015, the U.S. government sustained one of the largest breaches of employee records when the personnel data of 4.2 million current and former Federal government employees was stolen.
Many questions about this bill
But there are a lot of questions about how Warren's data breach legislation would work, if it became law.
The bill, called the Corporate Executive Accountability Act, seeks jail time for certain types of corporate wrongdoing. It argues that executives escape prosecution "because it is hard to demonstrate that they are personally aware of all their company's actions," according to a summary of the legislation.
An executive who pleads guilty to a crime could be subject to jail time under this bill. But the data breach legislation could also impact executives who enter into a settlement with a state or federal regulator "for the violation of any civil law" that affects the health, safety, finances or personal data of 1% of the population.
Robert HannaAttorney, Tucker Ellis LLP
Robert Hanna, an attorney at Tucker Ellis LLP, said it was a "scary notion" that a firm can enter into a consent order and "in doing do so, then, under this bill, face criminal liability for a year or up to three years in prison."
"There are a lot of question marks in this bill, that being one of them," Hanna said.
Another question is exactly what executives in a corporation may be at risk in a data breach.
A broad executive net is possible
The proposed law uses the definition of executive officer from the U.S. Securities and Exchange Commission, which would cover the CEO and most likely cover the chief compliance officer. But the data breach legislation might also include certain non-officers who oversee a division, a vice president of HR, as well as people with policy-making authority, said Karin McGinnis, an employment attorney at Moore & Van Allen PLLC.
McGinnis doesn't believe that someone such as a regional HR manager could be exposed to liability. Instead, she believes a law such as this could have a "negative impact" on "qualified individuals wanting to be CIO or CTO or CEO of a company because of the risk" of criminal liability.
Steve Williams, an attorney at Munsch Hardt Kopf & Harr, P.C., sees the good and the bad of the proposed legislation. "Sen. Warren's proposed bill would essentially criminalize negligence," Williams said in an email. A potential benefit is that corporate executives "will be much more motivated to police the activities and conduct of people within their organization to ensure compliance with the law, and to make sure that any misconduct is discovered quickly and properly addressed."
But a risk, Williams said, can be illustrated by the savings and loan crisis in the late 1980s and early 1990s, when "the government aggressively sued many of the officers and directors of failed savings and loan institutions," he said. It became "harder to get good business people to be willing to serve on the boards of banks and financial institutions for fear of risking personal financial liability."
Tom Kellermann, chief cybersecurity officer at cybersecurity company Carbon Black Inc., believes any legislation must consider an organization's commitment to securing data.
"Did the business simply turn a blind eye to security?" Kellerman said, in an email. "Or was there a concerted effort to adhere to strict security best practices? If the former, punishment may be warranted."