IT execs on firing line over security breaches

Computerworld - The cost of data breaches may be getting a lot higher for IT professionals who are deemed to be responsible for failing to properly secure corporate information.

For example, AOL LLC's chief technology officer abruptly resigned this week in the aftermath of a disclosure that the company had publicly released data on searches done by about 650,000 of its online subscribers. AOL also fired two workers in its research division, which was responsible for the data release and had been overseen by now-former CTO Maureen Govern.

It was the second time this month that high-level technology managers lost their jobs because of data breaches. On Aug. 3, Ohio University announced that it had sacked two top IT managers for what it saw as their failure to prevent a series of breaches that were discovered at the Athens-based school during the spring.

In addition, university CIO William Sams announced in July that he would resign once someone is found to replace him, saying it had "become clear to me that a new energy level and skill set is going to be required in order to allow our IT organization to realize its potential." Sams is still on the job, though, and he wrote the termination letters to the two fired managers.

IT managers should expect firings and other harsh disciplinary actions to become more common as organizations face increasing public pressure to address data breaches that they suffer, said Robert Scott, managing partner at Dallas-based law firm Scott & Scott LLP.

"In order for companies to have a credible position in the marketplace, they're going to have to explain in a public way what they have done to address the issue," Scott said. "The risks that companies face from a liability and a reputation perspective are such that when breaches occur, people will not only need to be held accountable, but heads will have to roll."

Such "forced accountability" is at least partly the result of the intense media scrutiny that data breaches now receive, said Bob Hartland, director of IT, servers and networking systems at Baylor University in Waco, Texas. The attention has heightened public concerns and "made a lot of people nervous," he said.

Tim O'Pry, CTO at The Henssler Financial Group in Kennesaw, Ga., said accountability is necessary, and it's reasonable to expect that people will lose their jobs where negligence has occurred.

The problem is that many times, the workers responsible for a security breach are only following what until then had been accepted practices within their companies, O'Pry said. And they may not have had the responsibility or authority to change the practices, he noted.