top | item 46656770

(no title)

According to this report [1] the appeal was about specific requirements like encryption, and he claimed he had delegated it. So it is clear that it is hard to actually hold people responsible.

> The appellate court rejected the prosecution's argument and dismissed all charges. In its unanimous decision, the court stated that neither the GDPR nor the applicable Finnish healthcare legislation required encryption or pseudonymisation of patient data at the time in question.

> Prosecutors alleged that Tapio knew about the March 2019 breach and failed to act. They claimed he neglected legal obligations to report and document the incident and did not take sufficient steps to protect the database. Tapio denied the claims, saying he was unaware of the breach until autumn 2020 and had delegated technical oversight to external IT professionals.

> The court found there was no clear legal requirement at the time obliging Tapio, as CEO, to take the specific security measures cited by the prosecution. These included firewall management, password policies, access controls, VPN implementation, and security updates.

> According to the ruling, the failure to adopt such measures did not, in the court’s view, constitute criminal negligence under Finnish law.

> Tapio’s conduct during and after the 2019 breach did not meet the threshold for criminal liability, the court concluded.

[1] https://www.helsinkitimes.fi/finland/finland-news/domestic/2...

discuss

blell|1 month ago

No, it’s just that it’s crazy to hold the CEO liable for absolutely everything that can go wrong.

louthy|1 month ago

> “absolutely everything”

It isn’t absolutely everything, it’s for negligence. If you don’t have basics in place, like independent pen-tests, ISO 27001 audits — or some equivalent — when you’re handling clinical data, then that’s negligence.

If a breach happens and you were seen to have followed best practice, you won’t be found criminally negligent.

That is part of being an executive. The buck stops with you — if you’re an executive, you’d better understand your obligations, you get the big bucks for a reason, it isn’t just a fancy job title.

Other people in the organisation can be held accountable for criminal acts, but when it comes to criminal negligence, it’s the executives that are liable, because it’s a systemic failure and you’re deemed to be in-charge of the system.

nkrisc|1 month ago

But this is not “absolutely everything”. No one is saying CEOs should be accountable for every action of an individual employee.

So if not the CEO, who is accountable when something like this breach happens? The CTO? The PM The DBA? Nobody? Maybe they’ll care developer who wrote the code or botched the configuration should be prosecuted?

CEOs can justify their pay be being accountable for what their company does. They’re the CEO, after all. Maybe they’ll care more when they have some actual skin in the game.

HighGoldstein|1 month ago

Is it sane to reward them for almost absolutely everything that goes right? Because that's the status quo for this position.

butvacuum|1 month ago

Privatize the gains and socialize the losses. egh?

fifilura|1 month ago

The CEO is responsible for ensuring that there is a routine for security.

If that is not created -> CEO responsibility.

If that is not followed -> top level mgmt responsibility.

And so on, further down the chain.

wolvoleo|1 month ago

Well this is why they get paid so much isn't it? Because they carry the responsibility.

IshKebab|1 month ago

It's normally the company directors that are personally liable.

arresin|1 month ago

So who?