Re: Hotel-chain turned data faucet Marriott
This isn't/wasn't an admin problem, this is/was a security officer problem. And the responsibility should be with a C-level security officer.
They're not likely to worry about a fine if they're not worried about a breach (likely to be far most costly). Either way, they'll look to blame it on the person with the least clout (think Breaker Morant, or Lt. Calley).
It relates to the difference between formal and efficient causes, or something like that.
This is why I abandoned the DBA game after 10 years. If something goes wrong you're always the guy next to the machine, who with hindsight could have done something differently. What will not be taken into consideration is that your recommended, best-practice measures were not taken in order to save a few currency units. In my case, it was things like re-using backup tapes more times than recommended, or running versions of the database that were no longer supported ("we can't leave this one because our app vendor went out of business before migrating the app to the current version").
The C-level security person is usually a permanent employee (can't be fired without a court case, at least not in Belgium) with little technical knowledge. He or she relays the cost-cutting dictates to you and (hopefully) your warnings back to the C-suite. The C-suite claims credit for the lower costs, but not for any consequences this entails. To be fair, you can't tell the C-suite what the probability of an incident is, or the likely impact; it's not a game of dice, with a known set of possible outcomes.
What I've been seeing is that, for freelancers at least, there's a push to make us accept unlimited liability for anything that happens. I recently turned down a good offer because the agency's contract contained many clauses like this: "The contractor will be liable for any data breach". No qualifiers saying that it had to be my fault or even to have happened while I was there. They want to make you liable, but how much do they think they'll get from someone who's poor enough to be working for a living? The strategy seems to be to push off liability to someone else.
The deeper problem is in the technology itself: a small mistake or oversight can have consequences that are wildly out of proportion to the negligence involved. Even perfect best practice is no guarantee against total disaster (breach, data destruction). It's not only IT: think nuclear energy, genetic manipulation, bio-weapon development, ...)
The problem for most of the people who read this site is how to avoid situations where this looks like a real possibility. In my experience, you can usually smell such projects after a week or two. Sometimes you can even smell it at the interview.