Data Breach Culpability: are CEOs to blame?

James Grieco
James Grieco
Apr 26, 2023
min read
Data Breach Culpability: are CEOs to blame?

The Helsinki District Court made international waves last week when it handed a three-month suspended sentence to ex-Vastaamo CEO Ville Tapio

Vastaamo, a psychotherapy firm, was hit by a data breach while Tapio was CEO, and the Finnish court found that under his watch the company “did not fulfil General Data Protection Regulation requirements, in terms of the pseudonymisation and encryption of patient data handled by the center.” 

Tapio had already felt the consequences of the breach, as it cost him his job soon after it occurred in 2020, but the recent criminal trial shows the stakes for corporate leadership are higher than ever in data privacy terms. Tapio argued he did not know the company’s IT security was poor during his time there, but that defense simply led into the court’s claim of his intentional or grossly negligent behavior.

This may be the start of a new trend, as the language of “grossly negligent behavior” used by the courts is the same terminology increasingly being used in data regulations when it comes to fines. It is not a stretch for courts to extend that language beyond financial repercussions when it comes to assigning culpability in the hopes of spurring more proactive measurements against data breaches. 

This is not solely an EU, GDPR-related thing either. The FTC took action against alcohol marketplace Drizly’s CEO James Cory Rellas in late 2022, citing his personal failure to protect against a data breach that leaked personal information on roughly 2.5 million customers. 

While that case is ongoing and it is currently unclear what type of punishment is on the table for Rellas, an FTC representative stated bluntly about the case, “CEOs who take shortcuts on security should take note.”

Drizly is a particularly telling case because of the size of the data breach and the fact that the company was notified years prior of a major issue with its data security procedures, which seemingly went unfixed. In any case, any CEO must know about these issues within their own company, as Tapio’s defense–feigning ignorance–shows either a critical failure in leadership or straight up dishonesty.

Companies may think data and cybersecurity measures are places to save in a tighter economy due to the hazier ROI, but compliance is bigger than a spreadsheet, as cases like the aforementioned have shown. With data breaches happening more frequently than ever, skimping or ignoring cybersecurity nowadays is a recipe for disaster.

In fact, we may be at the precipice of the matter, as consulting giant Gartner released a report in late 2020 predicting up to 75% of CEOs could be held personally liable for cybersecurity incidents by 2024. In the same report, Gartner research put the financial impact of attacks on cyber-physical systems (CPS) at $50 billion, noting “Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them.” 

In short, this is a problem that everyone has identified, and it’s just a matter of whether businesses are going to start ensuring proper measures are taken to protect the data they proclaim to value above all else. The privacy harms are real, and anything that compels company leaders to institute safeguards is a victory.

This is in sync with what the most advanced companies are doing with their privacy programs. From speaking with hundreds of privacy professionals, we hear again and again that the best data privacy initiatives are those driven with direct support from the C-suite. When leadership champions data protection, brands benefit and the proper measures get put into place. When leadership is blasé about it, well, things tend to stall. 

The idea of holding CEOs liable for data breaches isn’t new, but with actual heads starting to roll in cases of outsized privacy harm and verifiable negligence, leaders across the globe need to start reevaluating their corporate priorities. Investing more heavily in data security is a small price to pay compared to a potential avalanche of data breaches, bad publicity, and regulatory bodies with teeth.