Today’s CEOs are on the hook like never before. Their company data is under attack, and IT directors are no longer the only employees held accountable for security breaches. In the past, top-level management has typically been able to blame their security and IT departments for cybersecurity incidents, and largely avoid direct accountability. But several recent, high-profile data breaches have shown that those days are over.
Equifax CEO Richard Smith was forced to retire after the company’s recent data breach in which the firm lost personal information for more than 140 million people. He was lucky. U.S. Sen. Elizabeth Warren, D-Massachusetts, blasted Smith saying his resignation wasn’t enough, and that he should also forfeit at least some of his pay. "I've called for Equifax executives to be held accountable for their role in failing to stop this data breach and hiding it from the public for forty days. It's not real accountability if the CEO resigns without giving back a nickel in pay and without publicly answering questions," she said in a statement.
Equifax isn’t the only case where CEOs and top-level management were held accountable for a data breach. Here’s a few examples of management fallout and loss of pay that occurred at other companies who experienced a serious security incident.
Yahoo: As a result of the massive Yahoo data breach, Marissa Mayer, Yahoo’s CEO, did in fact forfeit her annual bonus of around $2 million dollars and miss out on stock awards worth millions more. Ronald Bell, the company’s general counsel was also hit hard, being forced to resign without getting his severance pay.
Utah Department of Health: After hackers accessed thousands of Medicaid records from Utah’s Department of Health servers, the governor of Utah, Gary Herbert, fired Stephen Fletcher, head of the state’s Department of Technology Services.
Target: Following Target’s colossal data breach that affected 40 million customers, CIO Beth Jacob resigned under pressure. Shortly thereafter, the board decided it was time for new leadership and CEO Gregg Steinhafel was replaced.
Sony: In an article from the Huffington Post, Amy Pascal, former CEO of Sony, stated that she was fired as a direct result of the company’s data breach.
Home Depot: Frank Blake, CEO of Home Depot announced his retirement just before the organization’s breach was disclosed. He later stepped down as chairman of Home Depot.
TalkTalk: Dido Harding recently stepped down as CEO of TalkTalk. The company disclosed that their October 2015 cybersecurity incident cost them over 100,000 customers and financial losses of over $83 million dollars.
US Office of Personnel Management (OPM): After 21.5 million federal records were stolen from OPM, Katherine Archuleta initially fought calls for her resignation. But after it was revealed that the breach was worse than initially thought, Archuleta tendered her resignation.
FACC: Austrian aircraft parts maker FACC fired its chief executive of 17 years after cyber criminals stole some 50 million euros ($55.7 million) from the company’s account.
Avid Life Media (ALM): Noel Biderman, CEO of Avid Life Media (ALM), resigned under pressure after Ashley Madison, which is owned by ALM was breached.
In light of all of the recent cases where CEOs and top-level managers have lost their jobs, and in some cases lost pay, it’s clear that these executive leaders and board members must make protecting their customer data a top priority. Consumers, regulators, and the public at large are done with lazy, passive security. They expect business leaders to implement effective data protection systems and create a robust culture of security within their organizations, starting at the top.