As I understand it, only if they can prove some pretty intentional negligence. If some random dude sucks at his job and forget to encrypt so-and-so, or change the default password on such-and-such, it's not really the CEO's fault. Maybe you could chase after the CTO if they had policies which directly lead to this issue.

Again, just as I understand it, that's why nobody gets in trouble for this shit. It's not really fair to blame any one particular person. Whether or not that can be remedied by modifying the corporate system we operate in somehow, I don't know. Probably yes, but that's not my skillset at all.

edit: but in any case, this was due to people re-using passwords, so I doubt you could realistically blame the company.

> Maybe you could chase after the CTO if they had policies which directly lead to this issue.

> It's not really fair to blame any one particular person

These are literally the very circumstances that we were presented with as reason why executive compensation is astronomical. It's all that responsibility they have to assume in times like these, right? They're supposed to fall on their sword, and whoever replaces them is supposed to make damn sure shit like this doesn't happen on their watch. The pay and parachutes ensure they land on their feet.

The reason nothing ever changes is because these clowns never get in trouble. If you want that $10M salary, you better make sure everyone under you is doing their part to ensure events like this don't happen-- or you get dethroned.

Does China still sell melamine-tainted baby formula? We've been conditioned to just let our leaders stay in command after plowing into icebergs-- while they blame and execute the engineers shoveling coal below deck.

Nobody is getting paid that much because anyone is realistically expecting a CEO to watch every action taken by every employee. The reason CEOs get paid so much is because it was discovered that luring them to a company with big paychecks results in higher dividends, and we've swung in that direction on investments.

The solution isn't to randomly start blaming CEOs for things they had no realistic control over, it's to swing in the other direction of putting more money towards workers by taking it away from pure growth-oriented goals.

I feel like the available data is way too scarce to attribute positive results to any individual executive with any degree of statistical significance. Do you know if there’s been research done on this?

My perception is that it’s really really hard to differentiate between someone who’s genuinely a force to be reckoned with and someone who’s just in the right place at the right time. After their first success they can hop around between companies from executive role to executive role playing it safe and riding the gravy train just by not fucking it up. I’d be interested if anyone can provide examples of executives that consistently trigger inflections in a company’s performance within say 2 years of joining across multiple companies. I’m genuinely curious.

I frequently encounter software that doesn't let me reuse my password. It is not an excuse. The company should be held accountable that it allowed clients to reuse their passwords; allowing it is negligence.

Intent is not a sufficient legal standard to address this epidemic of negligence. We need Strict Liability for data protection.

You frequently encounter software that doesn't let you reuse a password that's been used anywhere else? Or just in the same system? I've not seen the former.

I remember software that will stop me from using stuff like "password", how hard is it to grab a copy of any of those password leaks and ban any password found in there?

It is not hard and every web service really should implement this sort of check. I’m actually pretty surprised to see so many comments here that aren’t aware of it!

See: https://haveibeenpwned.com/Passwords

From the perspective of the users/customers/people the harm was done to, the company is the abstraction that they deal with. Companies can be hit with a billion/trillion dollar judgment. The injured parties don't care which executive at the company will get a smaller bonus this year -- they're not unfairly blaming.

Separate from that, if there's laws and regulations, the company could also be hit with fines. Officials could also investigate individual culpability for bad behavior by people within they company, but that possibility doesn't mean that any kind of holding companies responsible would be unfair.

Why would 23andMe be held responsible? The article doesn't indicate that they did anything wrong. You can't really blame them for users refusing the same password on multiple sites.

Probably not as I would guess it'll be just a wrist slap and nothing more.

This not only affects users, but the user's relatives/loved ones as well.

Is 23andme covered under HIPAA?