
Elizabeth Warren wants jail time for CEOs in Equifax-style breaches - doppp
https://arstechnica.com/tech-policy/2019/04/elizabeth-warren-wants-to-jail-negligent-ceos-in-some-data-breaches/?comments=1
======
jimz
"On Wednesday, she announced the Corporate Executive Accountability Act, which
would impose jail time on corporate executives who "negligently permit or fail
to prevent" a "violation of the law" that "affects the health, safety,
finances or personal data" of 1 percent of the population of any state."

This is really poorly thought out and in practice, impossible to enforce. This
is clearly shoehorning a civil case framework into the criminal justice
system.

"Negligently permit or fail to prevent" is the sort of clause that would
almost inevitably end up hitting founders engaged in any sort of company that
deals with personal data. Larger companies can simply fall back to delegating
the security issue to a non-executive. At that point proving negligence
becomes incredibly difficult.

"A violation of law that affects data" is also ridiculously broad. Currently,
CFAA is already overbroad and assigns criminal liabilities to far too many
potential acts that simply couldnn't have been imagined in the early 1980s.
Any unauthorized access that sees records falling into the many categories
stated and amounts to 1% of a state's population, which could be a few
thousand rows, would somehow subject two people to imprisonment potentially.

And of course, how would this even be enforced? A company can simply change
its terms and conditions to allow for information disclosure, and selling or
giving away things certainly isn't illegal. This would immediately shift the
onus back onto the one accessing the data, who also has no reason to report or
cooperate.

If anyone actaully suffers a quantifiable injury, just sue. Warren clearly
haven't been practicing criminal defense or having been a prosecutor for quite
some time because this sort of statute is the sort that both sides get
headaches for.

------
vfulco2
How much longer will the emperor have no clothes and the pols claim something
will be done? AGs had their chance when the 2008 financial debacle hit and all
of Wall Street was guilty of destroying Main street beyond any reasonable
doubt. Nothing was done. The republic burns down further.

------
kerng
That's an interesting thought, especially if a breach is because of
negligence, or a repeated pattern, or both.

For instance, consider Facebook, I'd imagine their response and actions for
remediation would be quite different if such a law would exist - as for
Facebook it's a repeating pattern.

------
netwanderer3
This would create an unprecedented case, all future lawsuits will reference
back to this one in attempting to hold more CEOs accountable. Never going to
happen!

------
SamReidHughes
The result of this seems like it would create a ton of useless CYA you can put
in front of a jury to make it impossible to prove negligence.

