Well the law is changing to make failure to carry out your responsibilities as a specific officer in a company a criminal offence. But that’s got nothing to do with a companies limited liability.
There are plenty of other positions in companies that come with similar personal criminal liability. They mostly only exist in finance industry, but the roles of CEO, CRO, MLRO etc in most financial institutions come with personal criminal liability.
The liability in these cases is usually tied to competence and knowledge. It’s illegal to be incompetent at your role, and it’s illegal to be ignorant of the activities of your company that fall within your roles responsibilities. The expectation is that individuals in this role will setup policy and monitoring frameworks to make sure that nobody is doing any stupid, that might result in them going to prison.
All of these requirements came into existence after the 2008 financial crisis, after it became apparent that senior leaders in financial institutions we’re keeping themselves deliberately ignorant of the misbehaviour of their companies, and creating a situation where nobody could be held responsible for the mess.
I’m not sure that age verification for website meets the bar needed for applying this approach here. But there are certainly places where it makes sense.
Not knowing that an employee of a company broke the law and you're a director or more senior manager probably shoots down any chance of a due diligence defence.
If we were running under the liability model the CSO's final option would be to resign which sucks. But he is basically in the same situation that any employee is who is being forced to do something that is clearly illegal. But, I guess that is a good argument for why liability might not work because you end up not having a security team or you put good people into legal dilemmas that they shouldn't have to deal with.
Oh in point of fact this was illegal if it's true, and I don't know how you ignore the law in who you can "fault" with respect to corporate officer conduct.
”I didn’t know I was breaking the law” is not a valid excuse for a private person and it shouldn’t be for an executive either. A company big enough that the execs don’t know about day-to-day operations should have processes in place that would notify them if something illegal was going on.
There is no job description that legitimizes illegal activity. There's a host of specific regulations that dictate the job of a C-level in a publicly traded firm is _explicitly_ not to behave this way. It's weird you think there's a corporate way to handwave this.
Smart modern companies arrange it so that upper management never has that sort of moment. They break the law by setting up perfectly legal incentives and requirements that just happen, by their combined effects, to encourage or even require the minions to break the law. At no point is this ever acknowledged, and there is almost always a clear written policy stating that employees are expected to obey all relevant laws and regulations. This ensures that, when systematic fraud like this is uncovered, there is nobody to take responsibility and nobody has to go to jail, or at least nobody who matters.
I think usually they are low profile civil cases not criminal.
I know there are cases where an executive has made fraudulent decisions and gotten charged personally for fraud vs the company.
I have first hand knowledge of several at smaller companies where the board of directors sued an ex executive or sometimes another member of the board.
There are also several high profile cases going through courts around Blockchain companies where the government is arguing that the executives themselves are willing participants in money laundering.
Importantly, breaching your duties does not mean you are bad at your job. If you lose the company lots of money because you suck at your job you probably aren't in breach. You have to intentionally make a decision that is not in the interest of the people you have a duty to.
[I expect if I'm being asked to do something, it's been vetted by our corporate legal team. I should not be expected to know every aspect of criminal and civil law to protect myself from my employer.]
"I have been only following orders" had stopped being a valid defense quite a long time ago.
Sure, but the more likely way in which these things go is: "Do what you have to do to make us pass those emissions tests" and "Get rid of that industrial waste" and so on.
No clear command to do something illegal but the employee is left with two choices: do something illegal or end up not doing what they were told to do.
Culpability is a thing that can be smeared out effectively across the layers of a large organization where each layer only sees the delta between the one above it and the one below it, the people that know the law and the consequences are safely (or so they think) insulated from the hands that commit the crimes and the hands that commit the crimes typically don't know the law.
This situation has - as far as I know - never really been addressed explicitly in the law hence the institutionalization of 'the buck stops at the top'. Even if you don't know and even if you did not order it explicitly you are - and should - still be held responsible. The question at hand is if that should include criminal liability for all cases where the employees break the law and I think there are plenty of cases where employees breaking the law should not lead to culpability of management, for instance, those cases where employees gain an advantage for themselves at the expense of the company, the customers or the society they operate in. But in most other cases where the company gained an advantage the execs should be liable. That alone will get companies to behave like good (immortal) citizens.
> No employee is breaking laws in an effort to further the objectives of a company
That's am absolute statement that employees are not to be held accountable.
> Responsibility isn't zero sum.
I totally agree. Doing a bad thing is bad. Ordering someone to do something bad is bad. Absolving someone who did something bad to fulfill your own twisted worldview is also bad.
Good thing it would be almost impossible to attach personal liability to an employee of a corporation unless they intentionally designed the system to be unsafe with malicious intent.
> compartmentalizing the org structure so that it removes the manager from liability and shifts the blame to a fall-guy is a common theme in organized crime. It is also illegal.
There is nothing necessarily "illegal" about an org compartmentalizing information. What is illegal is fraud... one person in an org saying one thing, while others in the same org know that the thing is not true. The other problem with overly compartmentalizing information is not related to legal liability at all: if managers don't know what's going on, good or bad, they can't be trusted by shareholders, which can kill the stock price.
Shareholders generally prefer known challenges than unknown ones.
In many cases these are not things that people do consciously, and in some cases they do it because they are pressured to make the wrong decisions without fully realizing the consequences. For instance, shareholders could push a CEO to expand the company when the financial situation does not actually allow it.
I agree that if someone willfully breaks the law that no blog post will stop that from happening, but quite frequently when and if it happens (especially in smaller companies where CEOs tend to be younger and less experienced) it is actually not intentional and rooted in incompetence rather than in malice.
There are plenty of other positions in companies that come with similar personal criminal liability. They mostly only exist in finance industry, but the roles of CEO, CRO, MLRO etc in most financial institutions come with personal criminal liability.
The liability in these cases is usually tied to competence and knowledge. It’s illegal to be incompetent at your role, and it’s illegal to be ignorant of the activities of your company that fall within your roles responsibilities. The expectation is that individuals in this role will setup policy and monitoring frameworks to make sure that nobody is doing any stupid, that might result in them going to prison.
All of these requirements came into existence after the 2008 financial crisis, after it became apparent that senior leaders in financial institutions we’re keeping themselves deliberately ignorant of the misbehaviour of their companies, and creating a situation where nobody could be held responsible for the mess.
I’m not sure that age verification for website meets the bar needed for applying this approach here. But there are certainly places where it makes sense.
reply