The fact that the CEO can access data at whim should be very troubling. That means they don't have even the most basic infosec guidelines in place.