Skip to main content Skip to main menu

Main menu


Should executives go to jail over cybersecurity breaches?

Terry MIS professor Dave Chatterjee offers his perspective
Wednesday, March 27, 2019 - 10:04am
Matt Weeks

A bill introduced in the U.S. Senate proposed “jail time of up to 20 years” for senior executives who knowingly misreported their companies’ cybersecurity readiness.  The penalties proposed in the Consumer Data Protection Act were criticized as being too harsh, but Terry MIS professorand cybersecurity expert Dave Chatterjee says senior managerial involvement is strategically crucial to reduce the threats and economic costs of data breaches.

“Cyberattacks are becoming an epidemic,” he writes in the Journal of Organizational Computing and Electronic Commerce. “Cybersecurity preparedness is a critical and distinctive competency, and senior management has to accept this business reality. Investing in cybersecurity defenses must be given strategic priority even though such investments cannot be associated with revenue generation activities.”

Cybersecurity is a rare instance where complying with legal requirements are not enough to ensure protection, Chatterjee says. Because hackers are increasingly aggressive and sophisticated, businesses must be constantly vigilant, from the top of the organization to the bottom.

“Without active involvement and engagement of senior leadership, it is impossible to motivate all organizational members to do their part in protecting the organization,” he writes. “The cyber war cannot be fought effectively by just a team of security professionals. It requires an organization-wide initiative and effort to protect the numerous enterprise vulnerabilities and endpoints. Humans continue to be the strongest and weakest link in the cyber security chain and need to be adequately equipped with training and tools.”

While there are no guarantees that even the most robust procedures can prevent a cyberattack, organizations should be proactive and take definitive steps to secure private data, Chatterjee says.

“If every reasonable effort was made to prevent data breaches, then executives shouldn’t have to go to jail over cyberattacks,” he notes.

Department or Program featured: