Remember 2015 when an incoming CISO infamously announced he was quitting Yahoo? In retrospect we know he was failing to disclose their breaches, trying to sneak out the back door yet avoid charges of misconduct.
His abrupt departure, after just one year in his first ever attempt to be a CISO, was announced very loudly as an intention to lead Facebook instead, because he said it was the best in the world at protecting people’s information (and soon after promising privacy where there would be none).
In fact his track record delivered the exact opposite, and regulators are not pleased.
Not only did Facebook flounder under this CISO’s outspoken and high-profile yet vapid command — leading to the largest breaches in history — it pushed back at regulators and then failed even to rise above a basic test of “key data protection principles“.
The decision follows an inquiry by the Data Protection Commissioner (DPC) into a series of 12 data breach notifications received by DPC the between June and December 2018,
The regulator found that Meta Platforms Ireland infringed Article 5(2), and 24(1) of the GDPR data protection law, which require organisations to put measures in place to meet key data protection principles.
The DPC found that Meta “failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data”.
In other words, more and more people agree that CISO should probably go to jail.
Today the government is announcing that executives whose companies fail to cooperate with Ofcom’s information requests could now face prosecution or jail time.