You probably signed up to lead technology teams, not to worry about jail time. But tech executives can now face criminal prosecution for regulatory violations that used to result in nothing more than corporate fines.
The shift is real and it’s happening fast. Joe Sullivan, Uber’s former Chief Security Officer, was convicted in October 2022 of obstruction of justice for how he handled a data breach. Tim Brown, SolarWinds’ CISO, is facing securities fraud charges from the SEC. Clearview AI executives are facing Austria’s first-ever criminal complaint under GDPR Article 84.
These aren’t fringe cases. They’re precedents that change what it means to be a CTO or CISO. The corporate veil that traditionally protected executives from personal liability doesn’t work against criminal prosecution. Criminal law can’t imprison a corporation. It goes after individuals.
This article is part of our comprehensive tech regulation overview, where we examine the critical shift from civil to criminal enforcement in tech regulation. The question you need to answer: do you understand the legal distinctions that determine whether you face an administrative fine or a criminal record? Most technical leaders don’t. This article explains when civil enforcement crosses into criminal territory, analyses the landmark cases, and provides a framework for assessing your personal exposure.
What is the difference between criminal and civil penalties in tech regulation?
Criminal penalties result from prosecution under criminal law. They can include imprisonment, criminal fines paid personally, and a criminal record. Civil penalties are monetary fines against corporations through administrative proceedings.
The burden of proof is vastly different. Criminal cases require prosecutors to prove guilt “beyond reasonable doubt” – no reasonable alternative explanation. Civil cases use “preponderance of evidence” – more than 50% likelihood.
Intent matters in criminal cases. Prosecutors must prove mens rea, criminal intent. You knew about the violation and acted to conceal or misrepresent it. Civil violations use strict liability. No intent required.
The consequences differ in kind, not just degree. Criminal convictions mean potential imprisonment, criminal fines you pay personally, and a criminal record. Civil penalties mean the company writes a cheque – maybe €20 million or 4% of global revenue – but the company pays it, not you.
For a detailed GDPR penalty structure and how these fines compare across different regulatory frameworks, our framework comparison guide breaks down the penalty tiers and triggers for each major regulation.
Civil cases routinely settle without admission of liability. Criminal cases don’t work that way. You either plead guilty or you go to trial.
Civil enforcement targets the corporation. Criminal enforcement targets you personally. The corporate veil doesn’t help you.
Can tech company executives go to jail for regulatory violations?
Yes. Executives can now face imprisonment for tech regulation violations.
Joe Sullivan’s case made this real. Uber’s CISO was convicted in 2022 of obstruction of justice and misprision of felony for concealing a 2016 data breach affecting 57 million users. Prosecutors sought 15 months in prison. He received three years probation.
This first trial of a corporate executive for handling a data breach sent shockwaves through the security industry.
Tim Brown, SolarWinds’ CISO, faces securities fraud charges from the SEC for allegedly making misleading statements about cybersecurity posture. His “Security Statement” contradicted internal assessments describing the environment as “very vulnerable.”
In Austria, Clearview AI executives face potential criminal prosecution under GDPR Article 84 after ignoring over €100 million in unpaid civil fines. For more context on how Australian enforcement cases demonstrate this trend toward aggressive regulatory action, including the WiseTech founder investigation, see our comprehensive analysis of Australia’s unique enforcement approach.
Criminal prosecution requires proving criminal intent – you knew about the violation and acted to conceal or misrepresent it. Most violations still result in administrative fines. But when regulators can prove intent, they’re pursuing criminal charges.
72% of CISOs now refuse positions without specific liability protection – insurance coverage plus indemnification agreements.
What happened in the Joe Sullivan Uber case and why was he convicted?
Joe Sullivan became the first CISO criminally convicted for breach handling. The 2016 Uber breach compromised data from more than 50 million riders and 600,000 drivers. Sullivan’s response to that breach landed him in federal court.
Instead of disclosing the breach, Sullivan directed his team to pay the hackers $100,000 through Uber’s bug bounty programme. He made them sign NDAs. He did this while Uber was under active FTC investigation for a previous data breach.
In 2016, the breach occurred. Sullivan concealed it. In 2017, Uber’s new CEO discovered the cover-up. In 2022, Sullivan was convicted of obstruction of justice and misprision of felony.
Obstruction means interfering with a regulatory investigation. Sullivan impeded the FTC investigation by withholding material information. Misprision means concealing knowledge of a felony and taking affirmative steps to hide it. Paying hackers and requiring NDAs counts as affirmative concealment.
Sullivan had previously worked with the Department of Justice specialising in computer hacking issues. He understood legal disclosure obligations better than most CISOs.
The prosecution proved intent using Sullivan’s own communications. Emails and meeting notes showed he understood FTC notification requirements. He knew disclosure was required. He chose concealment anyway.
The message: hiding breaches from regulators triggers criminal prosecution, not just regulatory fines. Breach notification compliance processes hardened across the sector.
Sullivan received three years probation. Prosecutors had sought 15 months imprisonment.
What is GDPR Article 84 and how does it enable criminal prosecution?
GDPR Article 84 allows EU member states to establish criminal penalties for serious privacy violations, beyond the standard administrative fines under Article 83.
Standard GDPR enforcement uses administrative fines up to €20 million or 4% of global revenue. That’s civil enforcement. Article 84 enables criminal prosecution with potential imprisonment for individuals.
Implementation varies by member state. Austria has implemented criminal provisions. Most others haven’t yet.
Clearview AI is testing the limits. The company scraped 60+ billion facial images without consent. EU authorities imposed over €100 million in fines. Clearview paid nothing.
Why? Clearview has no EU presence. No offices, employees, or equipment regulators can seize. Traditional civil enforcement proved unenforceable. So Austria escalated. In 2023, Max Schrems’ organisation noyb filed a criminal complaint under Article 84. To understand how Clearview AI facial recognition technology intersects with both privacy regulations and AI-specific compliance requirements, including the implications for biometric data processing under the EU AI Act, see our detailed analysis of AI privacy risks.
When civil fines fail, criminal prosecution becomes the next option. Austrian criminal law now applies to Clearview executives personally. This tests extraterritorial reach – Austria pursuing criminal charges against a US-based company.
Article 84 triggers for serious violations with wilful conduct. Biometric data processing without consent qualifies. Clearview’s complete disregard for EU enforcement satisfies the wilfulness requirement.
If your company operates in the EU or processes EU residents’ data, you’re potentially subject to criminal prosecution in member states with Article 84 provisions.
How does the burden of proof differ between criminal and civil tech regulation cases?
Beyond reasonable doubt versus preponderance of evidence. That’s the fundamental difference, and it explains almost everything about how enforcement actually works.
Beyond reasonable doubt means near certainty of guilt. Any reasonable doubt requires acquittal. You can’t imagine a reasonable alternative explanation.
Preponderance of evidence means more probable than not. If regulators can show a 51% probability your company violated the regulation, that’s sufficient for civil penalties.
Criminal prosecutors need extensive proof of violation and intent. They must show you knew disclosure was required and chose to conceal anyway. Civil regulators just need to prove the violation occurred. Intent is irrelevant under strict liability.
Regulators use civil enforcement for most violations. Civil cases are vastly easier to prove.
Criminal prosecution gets reserved for egregious cases with clear evidence of intent. Sullivan paid hackers and made them sign NDAs while the FTC was investigating – intentional concealment. Brown signed off on security statements contradicting his own internal assessments – knowing misrepresentation.
For executives facing investigation, the burden of proof difference determines whether you face administrative fines or imprisonment. Criminal cases justify extensive defence costs given imprisonment risk.
Documentation becomes your evidence. Contemporaneous records become evidence for or against criminal intent. In Sullivan’s case, prosecutors used his emails showing he understood FTC notification requirements to prove intent.
When does personal liability pierce the corporate veil for tech executives?
Personal liability pierces the corporate veil when executives face direct prosecution independent of corporate penalties. Criminal enforcement inherently bypasses the veil because criminal law cannot imprison a corporation – it targets individuals.
The corporate veil protects you from personal liability for corporate civil debts, contract breaches, and negligence. Criminal enforcement bypasses it entirely. The legal protection you assume exists simply doesn’t apply when prosecutors file criminal charges.
Personal liability also arises from specific conduct. Breach disclosure failures create exposure because disclosure is often a personal obligation. Material misstatements to investors trigger personal liability because you made the statement, not the corporation.
Tim Brown’s securities fraud charges demonstrate this. The SEC charged him personally for misleading cybersecurity statements. The corporate veil doesn’t protect against fraud.
Lack of oversight can trigger personal liability. Executives who actively approved problematic conduct can’t hide behind corporate structure.
UK law allows the ICO to impose fines on company directors up to £500,000 if the company doesn’t address ICO-imposed fines or faces liquidation.
Prosecutorial discretion determines who gets charged. Prosecutors choose whether to charge the corporation, individuals, or both.
What criminal charges apply to data breach concealment and misrepresentation?
Obstruction of justice applies when executives interfere with regulatory investigations by concealing evidence or misleading investigators. Sullivan was convicted of obstruction for impeding the FTC investigation by concealing a breach from them.
Misprision of felony is a federal crime (18 USC § 4). Elements include knowledge of a felony, affirmative act of concealment, and failure to report. Sullivan knew about the breach, took affirmative steps to conceal it (paying hackers, requiring NDAs), and failed to report it.
Securities fraud applies when you make material misstatements to investors about cybersecurity posture. This is what Tim Brown faces. The court allowed SEC claims to proceed finding discrepancies between SolarWinds’ public Security Statement and internal documentation actionable under Section 10(b). Brown had flagged the organisation’s security as “very vulnerable” internally while signing off on external statements claiming “sound security processes.”
Wire fraud, computer fraud, and export control violations also get applied in tech contexts.
UK law criminalises specific data protection violations. Section 144 of the Data Protection Act 2018 makes false statements in response to information notices a criminal offence. Section 173 criminalises altering personal data to prevent disclosure.
Why does breach concealment trigger criminal charges? Because disclosure is a legal obligation. Concealment is an affirmative criminal act. State breach notification laws, GDPR’s 72-hour notification requirement, and materiality disclosure obligations all create legal duties. Violating those duties through concealment transforms a regulatory violation into a crime.
Prosecutors prove intent using contemporaneous communications. Emails showing you understood disclosure requirements become evidence of mens rea.
How can CTOs assess their personal criminal liability risk?
Six risk factors determine your exposure: disclosure compliance processes, accuracy of cybersecurity representations, documentation practices, insurance coverage gaps, jurisdictional exposure, and company counsel alignment. High-risk indicators include breach notification failures, gaps between public statements and internal assessments, lack of documented decision-making, D&O policies excluding criminal defence, and operations in jurisdictions with criminal tech regulation provisions.
Start with disclosure compliance. Do you have documented, tested procedures ensuring timely notification when a breach occurs? Written procedures with legal review protect you from decisions under pressure that could trigger criminal liability.
Cybersecurity representations create the second risk factor. Do your public statements accurately reflect your internal security assessments? Brown’s prosecution hinges on the gap between public claims and internal documentation. Pull your last investor presentation and internal risk assessment. Do they tell the same story?
Documentation practices matter. Are security decisions documented contemporaneously? Budget requests? Vulnerability assessments? This documentation becomes evidence when prosecutors try to prove you knew about risks and concealed them. For guidance on establishing documented compliance efforts that create an audit trail protection, including breach notification procedures and incident response planning, our implementation playbook provides step-by-step guidance.
Insurance coverage has a gap most executives don’t know about. Most D&O policies exclude criminal defence costs. 38% of CISOs aren’t covered by their company’s D&O policy at all. Criminal defence costs average $500,000 to $2 million+.
Jurisdictional exposure varies. Operating in EU jurisdictions with Article 84 implementation creates criminal liability potential. Processing biometric or health data triggers higher risk.
Company counsel alignment creates a subtle risk. In a crisis, company lawyers represent corporate interests, not yours. The company might cooperate with investigators in ways that implicate you individually.
72% of CISOs now refuse roles without specific liability protection.
What insurance and contractual protections defend against personal criminal liability?
Most D&O policies exclude criminal defence costs and all exclude criminal penalties. The insurance you think protects you probably doesn’t cover criminal proceedings.
The Uber CISO conviction demonstrates why limiting criminal exclusions through “final adjudication” requirements matters. Without that language, you’re uninsured the moment charges are filed, even if ultimately acquitted.
Indemnification agreements obligate companies to reimburse legal costs. But they typically exclude criminal penalties, intentional misconduct, and conduct outside scope of employment.
Criminal defence cost insurance is specialised coverage distinct from D&O. It covers costs of criminal investigations and defence. Most executives don’t have it because they assume standard D&O covers everything.
What should you negotiate? Explicit criminal defence cost coverage in D&O or a separate policy. Broad indemnification covering all actions taken in good faith. Advancement of defence costs, not just reimbursement – advancement means the company pays bills as incurred.
Verify you’re explicitly covered as an officer. 38% of CISOs aren’t covered by their company’s D&O policy because they don’t fit the policy’s definition of “insured.”
Some policies have broad cyber exclusions. If your D&O policy excludes cyber-related claims, it’s nearly worthless for a CTO or CISO.
Criminal investigations are expensive even if you’re never charged. Responding to subpoenas, grand jury testimony preparation, regulatory interviews – all cost money before any charges are filed.
Nearly three-quarters of CISOs now refuse positions without specific liability protection.
Even with good insurance and indemnification, you may need your own attorney when interests diverge from the company. Red flags: the company settling civil cases while you face criminal exposure, or cooperating with investigations in ways that implicate you. Company lawyers represent the company. When interests diverge, you need separate representation.
The best protection remains proactive compliance. Understanding how to build a compliance program to reduce liability through systematic risk assessment, documented processes, and proper governance structures provides the foundation for defending against both civil and criminal enforcement actions.
FAQ
Can GDPR violations result in jail time for executives?
Yes, under GDPR Article 84, EU member states can implement criminal penalties including imprisonment for serious privacy violations. Austria filed the first criminal complaint under Article 84 against Clearview AI executives in 2023. Implementation varies by member state – some have criminal provisions, others rely solely on administrative fines.
What is the difference between misprision of felony and obstruction of justice?
Misprision of felony (18 USC § 4) criminalises concealing knowledge of a felony and taking affirmative steps to hide it. Obstruction of justice (18 USC § 1505) criminalises interfering with investigations or proceedings. Sullivan was convicted of both – misprision for concealing the breach, obstruction for impeding the FTC investigation.
Does D&O insurance cover criminal defence costs?
Most standard D&O policies exclude criminal defence costs and all exclude criminal fines. Executives need specialised “criminal defence cost” coverage or explicit policy language including criminal proceedings. 72% of CISOs now refuse roles without this specific coverage, recognising the gap.
When should a tech executive get a personal attorney separate from company counsel?
When individual and corporate interests diverge: if the company is settling while you face criminal exposure, if investigators are focusing on personal liability, if the company is cooperating with prosecution potentially implicating you. Company lawyers represent the company’s interests, not yours personally.
What is the standard of proof for criminal vs civil tech regulation cases?
Criminal cases require “beyond reasonable doubt” (near certainty with no reasonable alternative explanation). Civil cases require “preponderance of evidence” (more than 50% likelihood). This explains why civil enforcement is far more common – much easier to prove – while criminal prosecution is reserved for egregious cases.
Can breach notification failures lead to criminal charges?
Yes, as demonstrated by Joe Sullivan’s conviction. He was charged with obstruction and misprision for concealing the Uber breach during an FTC investigation. Breach disclosure is a legal obligation; concealment is an affirmative criminal act that can trigger prosecution.
What happened in the SolarWinds CISO case?
SEC charged SolarWinds CISO Tim Brown with securities fraud for allegedly making misleading statements about the company’s cybersecurity posture. The court allowed claims to proceed regarding the “Security Statement” that contradicted internal assessments describing the environment as “very vulnerable.” The case tests whether CISOs face personal securities liability.
How do criminal penalties differ from GDPR administrative fines?
GDPR administrative fines (up to €20M or 4% of global revenue) are civil penalties imposed by data protection authorities. Criminal penalties under Article 84 are prosecuted through criminal courts and can include imprisonment and criminal records for individuals. Civil fines target corporations; criminal prosecution targets individuals.
What is piercing the corporate veil in tech regulation?
Piercing the corporate veil refers to situations where limited liability protection fails and individuals face personal liability. Criminal prosecution inherently pierces the veil (cannot imprison a corporation). Civil piercing occurs in fraud or when corporate formalities are ignored.
Should CTOs document their cybersecurity decisions?
Yes, contemporaneous documentation is vital for defending against criminal intent allegations. Document security risk decisions, budget requests (especially if denied), vulnerability assessments, and risks escalated to executives. This evidence demonstrates good faith and can refute claims of knowing misrepresentation.
What are the criminal penalty tiers for HIPAA violations?
HIPAA has four criminal tiers: (1) unknowing violations (up to 1 year), (2) reasonable cause (up to 5 years), (3) wilful neglect (up to 10 years), (4) violations with intent to sell/transfer/use for commercial advantage/malicious harm (up to 10 years). Intent level determines severity.
What is extraterritorial enforcement in GDPR criminal cases?
Extraterritorial enforcement means prosecuting entities/individuals outside the enforcing jurisdiction’s territory. Austrian DPA pursuing criminal complaint against US-based Clearview AI demonstrates GDPR’s global reach. Executives of foreign companies can face criminal prosecution under Article 84.
