Will the New Qantas Executive Bonuses Policy Become Standard for Data Breaches?

It is relatively rare to see CEOs or executives held personally responsible for data breaches. That’s no longer the case at Qantas, which has announced executive bonuses can now be docked by about 15% for major security lapses such as the one that exposed millions of customer records recently.

The idea of tying pay and executive bonuses to cybersecurity performance has been discussed here and there over the years, but little serious effort has been made. That makes the Qantas policy change very noteworthy, though the company has previously shown it is willing to be unusually aggressive about docking compensation for poor performance and it is unclear if this will pick up steam as a broader trend.

Data breach will cost Qantas CEO AUD 250,000

Qantas CEO Vanessa Hudson will see AUD 250,000 of a short-term AUD 2.04 million bonus taken back due to the data breach that was disclosed about two months ago, which is thought to have involved Scattered Spider and Shinyhunters working as a team and resulted in about six million customer records being exposed. A statement from Qantas indicated that a 15% hit to executive bonuses could be expected as a standard going forward, though Hudson’s penalty appears to fall a little below that amount.

Examples of executives being held personally responsible for a data breach in any way, let alone specifically having executive bonuses reduced, are few and far between. One of the earliest examples is the massive 2013 data breach of US retailer Target, which involved the theft of some 40 million credit and debit card numbers as well as 70 million customer records. CEO Gregg Steinhafel and a number of members of the board accepted personal responsibility for the security shortcomings and voluntarily stepped down in 2014.

It would be about 10 years from that incident until the FTC held Drizly CEO James Cory Rellas personally responsible for a data breach that involved about 2.5 million customer records, the first time the agency had done so. Rellas was not fined or financially penalized but was hit with an FTC order that required him to establish a specific cybersecurity program at any new job he took for the next 10 years. The agency has limited ability to issue financial penalties to individual executives but has gone on to refer cases to the DOJ, who are able to bring lawsuits against individuals; this just happened last year with two executives at Adobe accused of concealing information about added subscription fees and cancellation policies from customers.

Are executive bonuses at risk at other companies?

While Qantas has been known to aggressively cut executive pay in cases of business failure, such as its lopping of AUD 9.4 million of former CEO Alan Joyce’s exit pay, this is still a very surprising move. By itself, it is not likely a bellwether for a new industry trend. The adoption of the idea by just a few other major companies could cause it to begin snowballing into a trend, however.

Hudson’s personal involvement in this particular case also remains somewhat unclear as the data breach is reportedly the result of a campaign by ShinyHunters to penetrate customer centers and target individual employees to social engineer. The employees were convinced to connect to a tainted version of Salesforce, something that executives have little control over other than approving training and policy for these situations.

Ultimately the raid on executive bonuses might tie more to Australia’s larger ongoing cybersecurity woes than anything else, and the perceived need for bigger symbolic moves to reassure the public that things are being done. But actions against executives can also send a strong signal to shareholders that boards are taking cybersecurity seriously and making it a priority, something that has been a pain point throughout many organizations for a very long time now.