Privacy & Cybersecurity Law Blog

Australian airline Qantas Airways Ltd. recently announced that the company’s CEO and top executives would forfeit A$800,000 (approximately USD $522,000) in compensation following a cyber incident that compromised the personal information of 5.7 million customers. Docking executive pay in response to a data breach is relatively uncommon, but the move may underscore growing pressure on executive boards to hold leadership accountable for cybersecurity risks.

The Qantas board’s decision emphasized that cybersecurity is not just a technical issue but a governance concern requiring oversight at the highest levels. By linking executive compensation to the company’s cyber response, Qantas has joined a small but noteworthy set of instances in which executive boards or regulators have tied executive accountability directly to data protection.

Such measures remain rare. More than a decade ago, a 2013 Target breach ultimately led to the Target CEO’s departure. More recently, in 2023, the Federal Trade Commission held Drizly’s CEO personally responsible for failing to implement basic cybersecurity safeguards. While the Drizly action did not involve financial penalties, it marked a significant step in holding executives individually accountable.

As the Qantas example illustrates, executive boards and regulators appear increasingly willing to make cybersecurity performance a factor in executive accountability, and compensation could become a central tool in that governance shift.