author photo
By Bruce Sussman
Tue | Dec 4, 2018 | 7:46 AM PST

He's one of the most active U.S. senators when it comes to privacy and cybersecurity. In fact, he just convinced the Senate to start using disk encryption on its computers and laptops. 

Last month, we reported on Senator Ron Wyden's proposed legislation to put company executives in jail—including cybersecurity leaders—if they neglect privacy and cybersecurity. Now, he is doubling down on his call for stiff penalties.

Wyden tweeted the following after the Marriott data breach which has impacted 500 million customers and created billions in lawsuits.



Senator wants to jail CEOs, CPOs, and CISOs

Wyden's second tweet is talking about the Senate bill he introduced earlier in 2018 to jail Chief Information Security Officers (CISOs), Chief Privacy Officers (CPOs), and Chief Executive Officers (CEOs) for decades, if necessary, to get companies to take privacy and cybersecurity seriously.

As SecureWorld reported, Wyden's bill proposes a number of things, including: 

  1. Establishing minimum privacy and cybersecurity standards
  2. Issuing steep fines (up to 4% of annual revenue, like GDPR) on the first offense for companies, and 10- to 20-year criminal penalties for senior executives

You read that correctly: Wyden is proposing 10- to 20-year jail sentences for CISOs and others in executive leadership who neglect cybersecurity or privacy.

InfoSec reacts to CISO jail time Senate bill

Senator Wyden's proposal hit a nerve with the SecureWorld InfoSec audience:

CISOs and CEOs in Jail-reaction

SecureWorld speaker @anniesearle tweeted, "Not exactly a job enticement for CISOs..."

And @JSweeney_BG replied to @SecureWorld, "There is an immense shade of grey with regards to data privacy and cybersecurity requirements for businesses. The line dividing ignorance from culpable negligence in the eyes of the law, however, can be extraordinarily thin."

And the comments keep coming:

CISOs and CEOs in jail-reaction2Let us know what you are thinking on this topic. Will the threat of massive fines and jail time improve cybersecurity and privacy practices in corporate America? Or could unintended consequences actually do more harm than good?

Comment below or drop us a line at

Wyden is calling his bill the Consumer Data Protection Act of 2018, and he is asking for input:

[MORE: One-page overview of the national cybersecurity and privacy Senate bill, and the full text of the proposed legislation: Consumer Data Protection Act of 2018]

If this bill moves forward, we're sure it will be a hot topic at SecureWorld events in 2019.