Are CEO’s responsible if there is a breach? Posted by John on 16 September 2015

There are many articles published recently about the recent firing of CEO's due to data breaches. Ashley Madison and Target are obvious examples, but the question remains, is this fair? Does the responsibility for good data protection practices reside with the CEO? Let’s take a look at this question in a little more detail. 

On the issue of good Data Protection (DP) strategy and governance, a capable organisation should develop, communicate and support objectives so they fit the organization’s business model and risk appetite. A capable CEO (from a DP perspective) should encourage executives and managers to budget accordingly for DP projects and where applicable become DP sponsors and even DP leaders. So why should this happen and why does this not happen very often?

Securing a DP budget

Very often, compliance is hard to get a budget for; organisations can have a tendency to aim for ‘finger-tip’ compliance. In other words, to just do enough to be compliant and no more. However, DP is not a typical area of compliance that does not have any upside. Good data protection practices result in a stronger brand, better customer relationships, better quality data and more accurate marketing campaigns. Notwithstanding that, the risk of poor data protection practices, as we all know, can and often does result in catastrophe. So securing a budget for DP initiatives seems like a relatively easy thing to do.  The barrier very often is the CEO and the executive team. If the budget for such initiatives is not forthcoming then it is hard to look past the CEO and the executive team when considering who is responsible.

Training and DP leaders.

Assuming a budget is available, then the task of implementation rests with everyone in the company. Managers and front-end staff need to pick up the baton here provided they are trained and polices are in order (a big assumption I admit, but we will leave the implementation for another article).  Crucially, CEOs and executives should promote a leadership style that drives data protection compliance, and facilitates and fosters a culture of data protection compliance and awareness. Many of our clients have fostered such an encouraging atmosphere that managers become DP leaders in their own right. These leaders speak at events and promote the benefits of DP practices not only internally but externally.

It must be recognised that even with the best will in the world and the most inspiring leaders, breaches can still happen. However, it is interesting that in many cases where serious breaches occur, data protection leadership is missing. 

So who is responsible?

It is probably fair to say that in most cases the CEO and the executive team have not done enough and consequently are largely responsible.  That being said, best endeavours can never guarantee no breaches but they certainly can reduce the risk, increase the response if and when a breach happens, and promotes a brand that can be trusted.