Indeed, the CEO was held criminally liable, but the charges were dropped in a higher court just recently. From the article:
"In April 2023, Tapio was found guilty of criminal negligence in his handling of patient data. His conviction was overturned on appeal in December 2025. (He declined my requests to interview him.)"
More specifically, he was charged of a data protection crime (i.e., note that in Finland these GDPR-like things are also in the criminal law). However, based on local news, I suppose there was not enough evidence that it was specifically a responsibility of a CEO or that CEO-level gross negligence occurred.
According to this report [1] the appeal was about specific requirements like encryption, and he claimed he had delegated it. So it is clear that it is hard to actually hold people responsible.
> The appellate court rejected the prosecution's argument and dismissed all charges. In its unanimous decision, the court stated that neither the GDPR nor the applicable Finnish healthcare legislation required encryption or pseudonymisation of patient data at the time in question.
> Prosecutors alleged that Tapio knew about the March 2019 breach and failed to act. They claimed he neglected legal obligations to report and document the incident and did not take sufficient steps to protect the database. Tapio denied the claims, saying he was unaware of the breach until autumn 2020 and had delegated technical oversight to external IT professionals.
> The court found there was no clear legal requirement at the time obliging Tapio, as CEO, to take the specific security measures cited by the prosecution. These included firewall management, password policies, access controls, VPN implementation, and security updates.
> According to the ruling, the failure to adopt such measures did not, in the court’s view, constitute criminal negligence under Finnish law.
> Tapio’s conduct during and after the 2019 breach did not meet the threshold for criminal liability, the court concluded.
It isn’t absolutely everything, it’s for negligence. If you don’t have basics in place, like independent pen-tests, ISO 27001 audits — or some equivalent — when you’re handling clinical data, then that’s negligence.
If a breach happens and you were seen to have followed best practice, you won’t be found criminally negligent.
That is part of being an executive. The buck stops with you — if you’re an executive, you’d better understand your obligations, you get the big bucks for a reason, it isn’t just a fancy job title.
Other people in the organisation can be held accountable for criminal acts, but when it comes to criminal negligence, it’s the executives that are liable, because it’s a systemic failure and you’re deemed to be in-charge of the system.
>if you’re an executive [...] you get the big bucks for a reason
In Finland? Notably wage-compressed Finland?
No comment on the specifics of this case, I agree with you that the executive should be where the buck stops. But you would be surprised how many various execs I have met here over the years who admit behind closed doors they really do treat it as a fancy job title that barely pays above their last position, but comes with 3x the stress, and they do it simply because, well, someone has to. You can't really be surprised that most of the folks here who you might want to be in the C-suite decide it's just not worth it, that remaining a middle manager or even an IC is simply a far better value proposition.
Posting anonymously here. I was on the leadership team of a Nordic public company, reporting to the CEO, presenting to the board and representing the company at the AGM. Total comp a little under $200k.
The compensation really didn’t match what you take on in terms of responsibility and legal liability. The stress was significant too. That said, as you point out, the work needs doing.
Recommended if you have an over-active sense of duty, not otherwise.
But this is not “absolutely everything”. No one is saying CEOs should be accountable for every action of an individual employee.
So if not the CEO, who is accountable when something like this breach happens? The CTO? The PM The DBA? Nobody? Maybe they’ll care developer who wrote the code or botched the configuration should be prosecuted?
CEOs can justify their pay be being accountable for what their company does. They’re the CEO, after all. Maybe they’ll care more when they have some actual skin in the game.
When a bridge fails, it is the professional engineer that signed off on that part. If you want someone to sign off on software or IT you will need to pay them quite a lot.
Yes, I would expect compensation to increase proportionally with accountability. What makes no sense is compensation that increases irrespective of accountability.
Being the CEO of a company that handles risky, sensitive things should be risky for the CEO, personally. And their compensation can reflect that.
That could be outlawed as well as it probably wouldn’t be too difficult to show that person wasn’t actually making any of the decisions. Not that I expect any of this will ever happen.
Funny whenever people complain about the GDPR here they're thinking they would be slapped with a €20Mi fine and that EU team 6 is going to parachute in their office and arrest everyone
Well, not for public bodies at least: “ Administrative fines cannot be imposed on public organisations, such as the government or state-owned companies, municipalities and parishes” [1]
But luckily this sort of thing never happens in the public sector. Except for when it does: https://yle.fi/a/74-20094950
That's interesting, because if you go here https://www.enforcementtracker.com/ there are a lot of public institutions being hit with fines (if they are enforced it's another issue) - search for Municipality for example
However I don't see any municipality in Finland getting fines
The law is written such that they could do all that to a small family business that forgot to delete their Apache logs, which isn't good and leaves room for abuse even if they pinkie swear it's only meant for big violations.
Only after informing you, giving you the opportunity to fix things and many many other steps. The harshness is directly related to the size of the company and the companies willingness to fix any issues. They want companies to comply.
Yes it was. The company was fined 20M EUR on standard GDPR-basis and went bankrupt (but unlikely due to the fine alone). Please re-read the above discussion.
That was actually insightful, including with respect to the continuous and serious validity issues with benchmarks (pp. 7-9), and the overall business prospects / sensible application domains.
> Woah, the thing that leapt out at me, as a professor, is that they somehow got an exemption from the UMN institutional review board. .... in addition to being conducted deceptively
There are cases where deception (as they call it) can be approved (even by ethics boards). Based on the Verge's article, this research setup should not have been approved even by then. But the topic itself seems as relevant as ever with the xz case and all.
Right, that's something to discuss at the IRB review. But they didn't even do an IRB review before conducting the experiment. After the outcry, they went back to the IRB and said "was this OK?"
Because it could always be that "AI did it", right? And people have LLMs running locally too, so you never can know whose bullshit it is. And with this omnibus package, there is nothing you can do, basically (except criminal justice but then too it gets interesting if your local or remote LLM is just bullshitting you and you have no better knowledge). Post-truth, really.
I think this piece was a good summary of the state of affairs.
If I would have written it, I would have perhaps mentioned that similar problems exist also in other domains, including science, arts, and media. Maybe the solutions might be similar too? I am particularly pointing toward the following quote that wasn't yet discussed here:
"New reporters could be required to have established community members vouch for them, creating a web-of-trust model. This mirrors how the world worked before bug bounty platforms commodified security research. The only downside is, it risks creating an insider club."
"In April 2023, Tapio was found guilty of criminal negligence in his handling of patient data. His conviction was overturned on appeal in December 2025. (He declined my requests to interview him.)"
More specifically, he was charged of a data protection crime (i.e., note that in Finland these GDPR-like things are also in the criminal law). However, based on local news, I suppose there was not enough evidence that it was specifically a responsibility of a CEO or that CEO-level gross negligence occurred.
reply