Data breaches have been on the rise in recent times. This development begs the question who is responsible for such incidents.

Allocating Responsibility

Recent events and studies have indicated that organisations seek to attribute blame in the immediate aftermath of a breach rather than accountability. Following the Uber case involving Joe Sullivan, there is a common concern that CISO (Chief Information Security Officers) may become scapegoats for data breaches. Of course, if one single person can be held responsible for such incidents that might not even be within their direct control, this raises questions regarding the governance structure within the organisation.

Inversely, some organisations have no accountability at all following a data breach. In 2021, the Irish Health Service Executive (HSE), an organisation that operates all public health services in Ireland, was embroiled in a huge data breach. In January 2023, head of digital innovation for the HSE Professor Martin Curley resigned, likening his role to scaling Mount Everest. These developments came as no surprise to many as the HSE’s IT infrastructure was chronically underfunded and wholly inadequate.

Any attempt to cover up breaches internally will not be looked upon fondly by the supervisory authorities. In 2018, it was reported that Uber, the ride-hailing company, suffered a data breach in 2016 that affected 57 million customers. However, Uber’s Head of Security Joe Sullivan failed to disclose the breach. Instead, Sullivan allegedly told his staff to keep knowledge of the breach ‘tightly controlled’ and to present the incident as part of a bug bounty program. Sullivan even went as far as to pay the hackers $100,000 as part of the ‘bug bounty,’ the hackers agreeing to sign non-disclosure agreements as part of the deal. The result of the breach devastated both Uber and its Head of Security. Sullivan was recently found guilty of not disclosing the breach and faces a maximum of five years in prison for obstruction and three years for a misprision charge. As for Uber, the company was fined $148 million (£130 million) in 2018.

How to lessen the blow of Data Breaches

At HewardMills we offer advice and guidance on how organisations can build a robust data privacy and privacy programme with accountability at the helm. Breach prevention is not just about trying to ensure that the breach does not happen in the first instance but also understanding that sometimes mistakes can happen, but they can always be learned from.  When clients come to us with a data breach, we always suggest a call in the aftermath to decipher what went wrong and how identified mistakes can be turned into an advantage. Transparency is a key concept of the GDPR and other similar Data protection legislation. Instilling the concepts of compliance, transparency and accountability will help to ensure that organisations can weather the storm of data breaches in the future.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at