Its not overly harsh
Indivual members of staff can be done over for all kinds of misconduct already - mainly financial such as insider dealing and money laundering.
The problem with doing it for IT staff would be making sure the responsible person got hit instead of some innocent foot soldier. Would have to be an un-writteb rule that it is applied at executive level eg MD.