Stories
Slash Boxes
Comments

SoylentNews is people

Elizabeth Warren Wants Jail Time for CEOs in Equifax-Style Breaches

posted by Fnord666 on Monday April 08 2019, @08:04AM   Printer-friendly
from the accountability-is-for-suckers dept.

upstart writes:

Submitted via IRC for Bytram

Elizabeth Warren wants jail time for CEOs in Equifax-style breaches

In 2017, criminals stole the personal data of about 143 million people from the credit rating system Equifax. It was a huge embarrassment for the company and a headache for the millions of people affected. Equifax's then-57-year-old CEO Richard Smith retired in September 2017, weeks after the breach was discovered, with a multi-million dollar pay package.

Massachusetts US Senator turned Democratic presidential candidate Elizabeth Warren wants to make sure that CEOs who preside over massive data breaches in the future don't get off so easily. On Wednesday, she announced the Corporate Executive Accountability Act, which would impose jail time on corporate executives who "negligently permit or fail to prevent" a "violation of the law" that "affects the health, safety, finances or personal data" of 1 percent of the population of any state.

A CEO could get up to a year in prison for a first offense. Repeat offenders could get three years.

The penalty only applies to companies that generate more than $1 billion in annual revenue—Equifax had $3.4 billion in revenue in 2017. It also only applies to companies that are either convicted of violating the law or settle claims with state or federal regulators. Equifax may qualify on this score, too, since the company signed a consent decree with state regulators last year.

With that said, it seems that most data breaches probably wouldn't trigger criminal penalties under the proposed new law. A CEO would only face jail time if a data breach was the result of illegal activity by the company and if prosecutors can show that the CEO was negligent in failing to prevent it. And under current law, merely being the victim of a data breach isn't a crime.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Elizabeth Warren Wants Jail Time for CEOs in Equifax-Style Breaches | Log In/Create an Account | Top | 26 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Informative) by Anonymous Coward on Monday April 08 2019, @03:26PM (2 children)

    by Anonymous Coward on Monday April 08 2019, @03:26PM (#826198)

    ^^ We call this whataboutism.

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   1  

  • (Score: 4, Interesting) by Anonymous Coward on Monday April 08 2019, @04:08PM (1 child)

    by Anonymous Coward on Monday April 08 2019, @04:08PM (#826217)

    Then I'll give you a real whatabout to chew on: If your physician's office breaches your personal information....

    The civil penalty tier system for healthcare organizations is based on the extent to which the HIPAA covered entity was aware that HIPAA Rules were violated. The maximum civil penalty for knowingly violating HIPAA is $50,000 per violation up to a maximum of $1.5 million per violation category.

    https://www.hipaajournal.com/civil-penalty-for-knowingly-violating-hipaa/ [hipaajournal.com] and countless other places.

    Employees can be personally held liable for breaches to the same tune. There is the possiblity of jail time for violators.

    Now, why exactly do you think that FICO, Equifax, TransUnion, and Experian should be held less liable than your family physician should be?

    • (Score: 0) by Anonymous Coward on Tuesday April 09 2019, @01:20AM

      by Anonymous Coward on Tuesday April 09 2019, @01:20AM (#826480)

      Now, why exactly do you think that FICO, Equifax, TransUnion, and Experian should be held less liable than your family physician should be?

      Because there has been a proven history of companies discriminating against people due to their medical history. Whereas for most situations (except for the already illegal crime of identity theft) most of the people who would discriminate against you for a credit score would already request you give that score to them anyway.

      Admittedly both would have a pretty large impact, but which do you think would have more of an impact and/or be harder to say:

      "Mr. Employer/Insurance Underwriter/Credit Card Company, I'm $40,000 in debt, have no idea how to pay it back, and am living paycheck to paycheck."

      "Mr. Employer/Insurance Underwriter/Credit Card Company, over the past decade I have been seriously sick for on average of a 25 days each year, and I have a 10% chance of getting diabetes and a 5% of having a heart attack in the next 10 years."

      I think there should be more scrutiny and punishment for these breaches of security as well. However, let's not conflate shooting a wolf near your farm (endanger species, bad) with shooting a rhino for ivory (very endangered, very bad).