Jail Time for CEOs?

This article originally appeared in Future Tense, a collaboration among Arizona State University, New America, and Slate.

Last Wednesday, Sen. Elizabeth Warren unveiled a new bill that—among other ways of expanding criminal liability for what she describes as “any corporate executive who negligently oversees a giant company causing severe harm to U.S. families”—proposes the possibility of jail time for execs of companies that fail to protect consumers from certain kinds of data breaches.

“For far too long, CEOs of giant corporations that break the law have been able to walk away, while consumers who are harmed are left picking up the pieces,” Warren wrote in a press release introducing the legislation.

Under the bill, dubbed the Corporate Executive Accountability Act, leaders of companies can be punished with up to a year in jail if certain conditions are met. Specifically, the bill would open up the possibility of criminal prosecution for execs if their corporation’s annual revenue exceeds $1 billion and if their company commits crimes, repeatedly breaks the law, or is found liable for certain violations affecting “the health, safety, finances or personal data of 1% of the U.S. population or 1% of the population of any state.”

What kinds of violations might pass that 1 percent threshold? The massive 2016 Wells Fargo fake-account scandal, which involved company employees fraudulently creating more than 2 million fake accounts in customers’ names and which Warren specifically called out as a motivation behind the bill, would certainly fit the criteria. So would the 2017 Equifax breach that exposed the personal information of more than 143 million American consumers. Another candidate for criminal liability under this formulation might be Mark Zuckerberg for his company’s alleged negligence in allowing Cambridge Analytica to harvest the personal data of 87 million Facebook users. (The company is currently under investigation by the FTC for potential privacy violations related to how the platform had allowed data sharing with outside developers, which may have violated a 2011 consent decree with the agency).

Then there’s also, possibly, the Yahoo data breach (3 billion user accounts affected), the Marriott hack(500 million customers), and the Target breach(more than 60 million customers), to name a few. (In some of these cases, it’s unclear how many Americans versus worldwide users were affected, so it’s not definitive if they would meet the 1 percent mark given in the bill.)

It’s important to note that, in its current writing, Warren’s proposal wouldn’t apply retroactively, so none of the breaches above would fall under its purview. The examples do, however, illustrate the magnitude of the types of violations the legislation would cover. The corporations involved must also be found to have violated a state or federal law, requiring a thorough investigation, a conviction, or a settlement before an executive could be prosecuted.

Warren’s proposal comes at a time of heated public debate over the perception that big corporations like the ones mentioned above haven’t been held accountable for major breaches of consumers’ privacy and personal data. Many advocates believe that the federal government needs to crack down on these companies—either via heavier regulations, penalties, or punishments—in order to rein them in.

There are pros and cons to Warren’s approach. On the one hand, threatening execs with jail time puts serious pressure on companies to invest in policies and corporate infrastructure to keep user data secure. But, some argue, such approaches go too far. As Josephine Wolff wrote in Future Tense last year regarding a different bill that also proposed prison sentences for not stopping certain types of data breaches, threatening such penalties assumes that executives are “constantly lying about how good their data security is and they are not sufficiently fearful of the consequences of breaches to invest resources in better security.” While that may be true at some companies, Wolff argues, most data breaches are simply a result of companies making terrible, uninformed decisions about cybersecurity.

In any case, as Ars Technica explains, it’s unlikely that Warren’s bill would become law, even if she were elected president in 2020. But her proposal does reflect the populist movement calling for reining in corporations in this space. In recent years, there have been multiple legislative proposals, investigations, and lawsuits seeking to address the security of our personal data. In 2018 alone, Sen. Ron Wyden introduced a much more stringent regulatory measure—the Consumer Data Protection Act—which called for executives to face up to 20 years in prison for knowingly approving inaccurate certifications of their companies’ data security measures. The attorney general of Washington, D.C., sued Facebook for allowing Cambridge Analytica to access users’ data without their permission. And Warren herself proposed the Data Breach Prevention and Compensation Act, which would create an office of cybersecurity within the Federal Trade Commission that would regulate and impose penalties on consumer-reporting agencies. Her office also led an investigation into the Equifax breach, finding that the company was negligent in handling consumer data.

“The current ways we’re trying to hold people accountable for bad privacy and security practices are not working. They’re not clear about what corporate obligations are,” Michelle Richardson, director of the privacy and data project at the Center for Democracy & Technology, told me. (She said she couldn’t speak to the feasibility of Warren’s bill, Richardson said she does support more comprehensive federal privacy legislation that covers not just multimillion-dollar companies but “all entities who handle personal data.”)

Though Warren’s latest bill may never become law, it may help keep both the anger and the momentum up for other action on data privacy and security. And consumers have good reason to keep up the rage. As Slate’s April Glaser has written, data breaches are pretty much impossible to clean up: Tracking down an individual’s personal data after a major breach is incredibly difficult, and there’s virtually no way to guarantee that someone in the depths of the internet is no longer in possession of that information, or predict what harm can come of it. The economic costs to both organizations and consumers can be high too. For example, one analysisestimated that the information stolen in a 2013 breach of Utah’s Medicaid and Child Health Insurance Program would result in more than 120,000 cases of fraud, and that each incident would cost (on average) more than $3,300 in losses. The average cost of a data breach for U.S. organizations in 2018 was $225 per compromised record, according to a report from the Ponemon Institute.

Warren’s Corporate Executive Accountability Act will probably not be Congress’ answer for tackling the proliferation of data breaches and privacy violations we’ve witnessed in recent years. But she does seem to be betting that it can draw attention to her wider campaign to crack down on corporate misconduct.