In 2017, criminals stole the personal data of about 143 million people from the credit rating system Equifax. It was a huge embarrassment for the company and a headache for the millions of people affected. Equifax’s then-57-year-old CEO Richard Smith retired in September 2017, weeks after the breach was discovered, with a multi-million dollar pay package.
Massachusetts US Senator turned Democratic presidential candidate Elizabeth Warren wants to make sure that CEOs who preside over massive data breaches in the future don’t get off so easily. On Wednesday, she announced the Corporate Executive Accountability Act, which would impose jail time on corporate executives who “negligently permit or fail to prevent” a “violation of the law” that “affects the health, safety, finances or personal data” of 1 percent of the population of any state.
A CEO could get up to a year in prison for a first offense. Repeat offenders could get three years.
The penalty only applies to companies that generate more than $1 billion in annual revenue—Equifax had $3.4 billion in revenue in 2017. It also only applies to companies that are either convicted of violating the law or settle claims with state or federal regulators. Equifax may qualify on this score, too, since the company signed a consent decree with state regulators last year.
With that said, it seems that most data breaches probably wouldn’t trigger criminal penalties under the proposed new law. A CEO would only face jail time if a data breach was the result of illegal activity by the company if prosecutors can show that the CEO was negligent in failing to prevent it. And under current law, merely being the victim of a data breach isn’t a crime.
While federal laws on data breaches are not very strict, states have enacted a variety of laws on the subject, and some may pass stricter laws in the future. So if a company’s data-management practices violate a single state’s laws and result in a breach affecting 1 percent of the state’s population, that could be enough to trigger personal criminal liability for the company’s CEO.
Sen. Ron Wyden (D-Ore.) has proposed an even harsher data privacy law—one that envisions executives getting up to 20 years in prison for violations of their customers’ privacy.
Warren’s proposal is one part of her much broader campaign to crack down on corporate malfeasance. I’ve focused on data breaches here, but the Corporate Executive Accountability Act allows prosecution of the CEO of any company whose illegal conduct threatens the health, safety, or finances of 1 percent of the public. Warren points to Wells Fargo’s 2016 fake-account scandal as another case where criminal prosecution of corporate executives would have been appropriate.
So, would this bill actually pass under a Warren presidency? Warren is the most prolific Democratic presidential candidate when it comes to making legislative proposals. The Corporate Executive Accountability Act is one of many bills she has proposed in the weeks since she launched her campaign. Given how difficult it is to pass legislation through Congress—especially given possible Republican control of the Senate—it’s unlikely that President Elizabeth Warren would be able to enact all—or even most—of her proposals. So the Corporate Executive Accountability Act probably won’t become law any time soon, at least in its current form.
Still, Warren’s proposal does reflect the mood of the populist Democrats Warren is vying to represent. Her proposal will put pressure on other Democratic candidates to enact tougher policies against misbehaving CEOs. And Warren just won re-election last year, so if she doesn’t become president, she’ll be able to stay in the Senate for the next four years, continuing to push for harsher treatment of corporate CEOs.