Data breaches often result in CEO firing

A cautionary tale of how cyber security failures can cost a CEO their job.

1 2 Page 2
Page 2 of 2

Regulatory attention

Under HIPPA alone, health information privacy complaints have risen from 6,534 in 2004 to 17,779 in 2014. At end of October 2015 the complaints received by Health and Human Services totaled 123,065. That is a 592 percent increase without two months of additional data. The UK’s Information Commissioner reports similar challenges for 2015, “There was a 44% rise in the number of data security incidents in the health sector compared to the previous quarter (from 193 in the first quarter to 278 in the second quarter). The health sector continued to account for the most data security incidents. This was due to the combination of the NHS making it mandatory to report incidents, the size of the health sector, and the sensitivity of the data processed.”

Regulatory attention increases the likelihood of fines and an additional cycle of negative publicity. Even with increased regulatory attention and negative press, fines are still relatively rare when compared with the volume of breaches reported. Regulators have been warning that information security breaches will see increased scrutiny and higher fines. Last year’s record breaking fines from the US Federal Communications Commission and recent enforcement action from the US Federal Trade Commission have shown these warnings to be far from idle.


The CEO’s Fate

Target: On May 8, 2014, Forbes reported that Target CEO, President and Chairman Gregg Steinhafel resigned from all his positions, “Following The Massive Data Breach And Canadian Debacle”. In this instance, Steinhafel’s departure from Target may not be solely attributed to the Target breach but also to a poor outcome with Target’s failed expansion into the Canadian market.

Home Depot: Frank Blake announced his retirement as CEO, shortly before the September 2014 breach came to light. He could have easily dropped the incident in the lap of the incoming CEO, but he didn’t. He captained Home Depot through the choppy waters of this incident with great skill. The company’s share price didn’t skip a beat; however, in February 2015, he stepped down as chairman of Home Depot as well.

Sony: In a Feb. 12, 2015 article from the Huffington Post, Amy Pascal, former CEO of Sony, openly admitted that she was fired as a direct result of the December 2014 breach.

TalkTalk: Dido Harding is currently the CEO of TalkTalk. Recently the company disclosed the October 2015 cybersecurity incident cost them over 100,000 customers and a financial loss of £60,000,000.00 (US $83,132,024.00). This comes on the back of the recent announcement of three Wipro employees arrested for hacking TalkTalk.


Information security breaches directly affect the reputation of a business, but it is unclear how detrimental that is to the bottom line. Only TalkTalk suffered significant reduction in their share price. There is little doubt that heavily publicized information security breaches will draw the attention of regulators. There is less certainty that attention will result in a significant fine. The impact of the cybersecurity breach on the CEOs of Target, Home Depot and Sony was more severe than the impact on their company’s. They were no longer in their positions within six months of the breach. The apparent six-month window is still open for TalkTalk’s CEO. The long-term risks of an information security breach to companies appear to be changing, but the near-term risk to corporate CEOs seems clear.

Copyright © 2016 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)