CEOs Incarcerated for Cyber Attacks

By Daniel Hale, PhD

June 1, 2021, 2:30 PM EDT 

WASHINGTON--The Biden Administration introduced an executive order which holds CEOs for  federal government contractors responsible for preventing damages associated with cyber intrusions into their organizations' computer systems. "For far too long," says Rep. Elizabeth Warren D-Mass "CEOs of giant corporations that break the law have been able to walk away, while consumers who are harmed are left picking up the pieces.”  

"While this order is reported as breaking news " says TEMVI, PLLC managing director and general counsel attorney, Donald Temple, "it's really just a logical extension of the path that the law has been headed for the last 20 years. Since 2002 with the passage of the Federal Information Security Management Act (FISMA), the US Government has recognized the importance of information security to the economic and national security interests of the United States" It is worthwhile to note that without ceremony, President Obama signed five cybersecurity-related bills, including legislation to update the Federal Information Security Management Act, the law that governs federal government IT security. Similarly, in 2020, President Donald Trump signed into law the bipartisan-backed Internet of Things Cybersecurity Improvement Act of 2020. 

By its terms, the new law applies solely to federal government agencies, but its downstream consequences are likely to reach further, impacting devices procured by the federal government and—likely, eventually—consumer devices. These executive orders express every administration's appreciation for the menace that cyberattacks represent to the American public. However, they are--by no means--legally groundbreaking. These actions--in many ways—reflect long-established, mainstream concepts about fiduciary obligations of organizations and their leaders. There have long existed significant penalties for a CEO’s failure to properly manage IT security.  State regulators, prosecutors, and private plaintiffs’ attorneys have always had the ability to hold corporate executives personally liable in cases of gross negligence, particularly when individuals suffer bodily injury or death.  

The driving force behind the trend toward CEO criminal liability does not grow from an increasing appetite for criminal prosecution. Rather, it reflects both the growing prevalence of cyberattacks and increasing connection between computers and heavy machines, hazardous materials, food, and drugs.  “When objects in the real world injure or kill people, the press pays attention. There is the adage that ‘if it bleeds it leads.’ When the public reads about these incidents, juries become activated.  Judges are pressured to mete severe penalties,” says TEMVI’s general counsel and co-managing director, Donald Temple. 

According to Gartner Inc., liability for cyber-physical security incidents will pierce the corporate veil to personal liability for 75% of CEOs by 2024. Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of security, focus, and spending currently aligning with  these assets. 

Whether and when these statutes may become law does not appear to be the most important legal consideration. "CEOs and board members are already exposed to civil and criminal liability under existing laws" says renowned civil litigator Donald Temple. Temple is a managing director at TEMVI, PLLC. 

He indicates that CEOs and board members are fiduciaries to all parties who store confidential information in their organization's IT systems (e.g. customers, investors, shareholders, partners, employees etc.).  "The CEO's and board's duties of care extend to all parties whose confidential information is stored in a company's IT system and any party who could be damaged as a proximate cause of a cyberattack." adds Temple.

Ayan View contributed to this story

Copyright 2021 TEMVI, PLLC All Rights Reserved