Personal liability for professional decisions
Should IT professionals be fined or prosecuted for bad choices?
Everyone makes bad decisions. When you’re a senior leader in an organisation, that can mean massive revenue loss, or even a security risk to consumers. That’s why professional liability insurance exists after all.
Corporate Manslaughter is probably the most well-known case of legislation introduced to hold executives accountable for corporate actions that may not be otherwise governed by common law.
There is debate over the legislation’s effectiveness in practice with a small number of convictions since its introduction in 2007. It has, however, been very effective at driving awareness and influencing decision making.
Now, legislation is reaching beyond the most serious issues of homicide and reaching into the more mundane world of IT failure.
Is it correct to hold senior technology leaders responsible for IT failures and security breaches?
And does being personally accountable improve decision making and reduce the likelihood of an incident?
Typically, organisations have multiple senior leaders responsible for the business’ survival. So where does the buck stop when things go wrong? Cases of senior IT professionals held personally liable for crises in their companies show a shift in scrutiny from firm to individual. They made some poor decisions and paid – a lot – for them.
Companies now have more access to personal data than ever before. It’s no surprise, then, that regulators are paying close attention to the significant responsibility that brings.
Ranging from negligence to deliberate cover-ups, we take a look at two major cases – from Uber and TSB – from the last few years.
Prosecutions are, by nature, case-by-case. But holding individuals personally liable when their (bad) decisions affect millions is an important driver of accountability. And financial penalties are a strong motivator. Whether or not the outcome is intentional, those who are tasked with handling the systems and technologies in question are ultimately responsible for the consequences.
‘Concealment of important information from the public’
In May 2023, former Uber Chief Security Officer Joe Sullivan was sentenced to three years’ probation and given a $50,000 fine for covering up a massive 2016 data breach at the ride sharing giant.
Sullivan started as Uber’s CSO in 2015. At the time, the company had recently disclosed a 2014 data breach which compromised about 50,000 consumers’ personal information. This led to an FTC investigation. Shortly after, Uber was hacked once again. This time the hackers contacted Sullivan directly. About 57 million users had their data stolen.
According to the US Justice Department release covering the charges, “Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC.” He then paid the hackers $100,000 in exchange for them agreeing not to disclose the hack.
Following Sullivan’s trial in 2022, information security professionals were reportedly worried about liability in similar situations, according to the Wall Street Journal. Edward Amoroso, formerly chief security officer at AT&T Inc., told the WSJ that many top security officers believe Sullivan did nothing wrong.
Prosecutors originally wanted a 15-month prison sentence. One of the reasons Sullivan isn’t facing jailtime is because of the volume of letters of support sent by industry peers and his friends and family – and because it was the first case of its kind.
According to the WSJ, judge William Orick added:
“If there are more, people should expect to spend time in custody, regardless of anything, and I hope everybody here recognises that.”
In a Press Release following the conviction in 2022, U.S. Attorney Stephanie M. Hinds said:
“We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
Failure to take ‘reasonable steps’
In April this year, Carlos Abarca, the former CIO of TSB, was fined £81,620 for operational resilience failings at the bank in 2018. The Prudential Regulation Authority’s (PRA) investigation found that Abarca breached its Senior Manager Conduct Rule 2 in failing to take “reasonable steps to ensure that TSB complied with PRA Outsourcing Rules.”
In short, Abaraca didn’t make absolutely sure that a third-party service provider contracted by TSB was up to its task.
In 2018, TSB migrated data for its corporate and customer services to a new IT platform. The data migration itself was successful. However, the platform immediately experienced technical failures.
The result was major disruption to the continuity of TSB’s banking services, including branch, telephone, online, and mobile banking. The initial issue affected a “significant” portion of the bank’s 5.2 million customers. Many were still dealing with the effects by December 2018.
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said: “Senior managers have an essential role to play in ensuring that firms manage and supervise outsourcing effectively.”
In this case, he added, “the PRA has fined Mr Abarca because his management of a key outsourcing relationship fell below the standard we expect.”
The Bank of England Senior Managers Regime (SMR) was introduced in 2016 “for banking institutions to embed greater individual accountability by ensuring authorised firms allocate clear responsibilities to key decision-makers”.
Under these regulations, firms must allocate “prescribed responsibilities” – which are specified in the PRA Rulebook – to Senior Managers.
“At the core of the SMR is the belief that companies should be led by skilled, principled colleagues, that there is absolute clarity about the responsibilities of the senior leadership team and that leaders of a business are held to account for its failures as well as its successes.
Are you liable?
Regulations differ based on industry. Personal liability for incidents will depend on seniority and responsibilities. In financial institutions, like TSB, the PRA’s Senior Management Regime applies. That means C-level executives, directors, department heads, and senior managers – and anyone “responsible for the executive management of those areas of a firm […] relevant to its safety and soundness objective.” That includes overall business, financial resources, risk management, internal controls, and key business areas.
You can learn more about the regulations and how they apply in the PRA’s 2021 supervisory statement on Strengthening individual accountability in banking.
For publicly owned companies, the rules are different. Company directors – including IT directors – have a responsibility to the shareholders who appointed them, the organisation, and the public. A director can be found personally liable for an offence committed by the company – be it deliberate or through neglect – whether or not they knew about it. This includes cases in which directors should have known about an incident, given their role, but didn’t – meaning ignorance isn’t a defence.
Make sure you’re familiar with what your industry's regulators require in the event of data loss or breach. Then build it into your incident response strategy – before it becomes urgent.
In IT, failures are inevitable. If something can go wrong, it will. Human error has been one of the top causes of data loss and downtime for as long as we have been carrying out our annual survey, the Data Health Check.
With these cases, it isn’t about fining IT Admins for minor failures. It's about holding senior executives responsible for failings that affect their customers, shareholders, and the wider markets they operate in.
There is also a wider question of what effect this will have on the employment market for these positions. Will it allow CISO applicants to demand higher salaries? And would that, in turn, open them up to greater scrutiny – or show that they’re taking the responsibility of their position seriously?
At this year’s RSA conference in San Francisco, Gadi Evron, CISO at venture capital firm Team8, said that following Sullivan’s trial Many CISOs thought, 'Should I leave this occupation?’ and ‘why is the CISO the only one standing trial?’
Think about it. If you were a CISO weighing the risk of a role at a publicly listed or financial services company, versus an organisation with no risk of personal liability, which would you choose?
TechTarget, which covered the conference and panel (above) featuring Gadi, suggests – among other things – holding crisis communication drills to mitigate your risk of liability. It also includes the importance of defining and knowing your role responsibilities as CISO, using the correct terminology, and not panicking. For more on crisis communications and cyber, you can listen to our podcast episode on the subject here.
Preparation through practice is the backbone of any solid Business Continuity and Incident Response plan. Since you’re reading this, you probably know that already. If you want more information on how to train for the unexpected, you can read here about training your team to respond in a crisis, and find more resources and articles on our blog.