Should Directors Face Prison Time for Cybersecurity Negligence?

On 3 June 2024, a patient arrived at the accident and emergency department of a major London hospital, feeling unwell. The triage nurse ordered a blood test to diagnose the issue. The sample was sent to the pathology lab.

The patient waited. The medics waited. They all waited some more.

The patient died.

Not from their original condition. Not from medical error. The patient died because ransomware had shut down blood testing at Synnovis, the NHS pathology provider serving hospitals across southeast London.

The security control that would have stopped this attack? Multi-factor authentication. Completely free. Built into Microsoft 365, Google Workspace, and practically every other platform. You just turn it on.

The consequences for the executives who chose not to bother enabling it? Nothing. Absolutely nothing.

When Missing Safety Equipment Kills

If a construction worker dies because a director decided that hard hats were too expensive or inconvenient, that director goes to prison. Directors and senior managers face criminal prosecution under the Health and Safety at Work Act. This happens regularly, and it has created a culture where workplace safety is taken seriously because executives know they will personally face consequences.

Yet when a patient dies because directors could not be bothered to enable free security controls, nobody faces any consequences whatsoever.

In this week's episode, my co-host Mauven MacLeod and I tackle the uncomfortable question that nobody in cybersecurity wants to ask: should directors face criminal prosecution, including prison time, for gross cybersecurity negligence?

What We Mean by Gross Negligence

Before the angry comments start, let me be absolutely clear about what we are proposing. We are not suggesting that every data breach should result in someone being jailed. That would be completely insane.

We are talking about gross negligence. The really inexcusable stuff. Where directors:

• Know the risks

• Have the resources

• Have access to free or affordable controls

• Choose not to bother implementing basic security

The Synnovis case is a textbook example. This was not sophisticated attackers with custom malware. This was criminals walking through an unlocked door because nobody could be bothered to turn on the free lock that came with the building.

The Health and Safety Precedent

The UK already has a functioning model for this. The Health and Safety Executive (HSE) prosecutes directors when workplace safety failures cause serious harm or death. The precedent is well-established, the legal framework exists, and it works.

Compare the HSE's enforcement record with the Information Commissioner's Office (ICO). When was the last time you heard of a director facing criminal prosecution for a data breach? The answer is never, because it does not happen. The worst consequence is usually a fine paid by the company, while executives walk away with their bonuses intact.

Why This Matters for Small Businesses

Some of you running small businesses might be thinking this does not apply to you. Here is why you should care anyway.

If we establish that gross negligence causing serious harm is criminal, that principle applies whether you are running a village shop or a FTSE 100 company. But, and this is crucial, the standards would be proportionate.

A five-person business is not held to the same standard as a multinational corporation. You are expected to implement reasonable security measures appropriate to your size, resources, and the sensitivity of data you handle. Just like health and safety law does not expect a corner shop to have the same safety infrastructure as a construction site.

The Immediate Actions You Can Take

Regardless of whether criminal liability legislation ever happens, there are steps every business should be taking right now:

Enable MFA everywhere. Check every single system your business uses. Email, cloud services, accounting software, CRM systems. If it does not have MFA available, it is time to find a new vendor. If a vendor wants to charge extra for MFA in 2025, they are taking advantage of you and should be named and shamed.

Document your decisions. If you choose not to implement a particular security control, document why. What is the risk? What is the cost? What is the business justification? This is not just about legal protection; it forces you to actually think through your security decisions rather than just ignoring them.

Ask yourself the honesty question. If something went wrong tomorrow, could you genuinely say you had implemented reasonable security measures for your size and resources? Not perfect security, which does not exist. Reasonable security.

What Comes Next

Next week's episode will tackle the practical questions. What would a Corporate Cyber Negligence Act actually say? How do we define the thresholds? What are the defences? How do we avoid this turning into compliance theatre that creates paperwork without improving security?

We will examine international models, look at what Singapore and the EU are doing, and design a framework that protects small businesses while targeting genuine negligence.

The Fundamental Problem

But today's point stands. Someone died because of preventable cybersecurity negligence. The control that would have stopped it was free. Nobody faced any consequences.

That is not a functioning accountability system. That is permission to fail.

Until we create real personal consequences for executives who choose negligence over basic security, we will keep seeing the same preventable disasters. Patients will keep dying. Businesses will keep failing. Supply chains will keep collapsing.

And directors will keep walking away with their bonuses intact, leaving someone else to clean up the mess.

Perhaps it is time we asked ourselves: if we prosecute directors when missing hard hats kill workers, why do we not prosecute them when missing MFA kills patients?

Listen to the full episode to hear our complete argument, including international comparisons and the detailed case for criminal liability.

Episode Resouces