[grovegames]

But what law specifically was broken? Should we have a law that punishes the CEO for data breeches? Is a CEO responsible if his experts recommended the practice? Is the CEO responsible if their staff went around and did this without conscent? That seems rife for abuse. Don't like your CEO, leak some data and have him go to jail.

[karmelapple]

I think data that has to do with voting records, or suspected voting records, would be very reasonable to be under the purview of being treated as sensitive data that, if breached, should have consequences to a company.

[PeterisP]

If these are voting records, which are public, it may well be that haven't done anything prohibited even if they intentionally distributed all this data to everyone.

As in, the company didn't want to distribute this data, so it's a breach, and the person who did that would be guilty of stealing the company's confidentional information (i.e. the modelling info) but it seems quite likely that purely (re-)distributing the core data of people's names and addresses doesn't actually violate any US laws at all; US privacy laws (outside of medical data) are very lax compared to e.g. EU.

I could imagine that victims of a future identity theft might have a civil claim against company if/when real losses have occurred, but it's quite possible that if the CEO personally published all this data, filmed all of this, and sent to the prosecutor's office, that no crime (according to current USA privacy laws) could be found there.

[grovegames]

I'm not saying this shouldn't have consequences. What I'm saying is this is far too nuanced to just say "lock up the CEO"

[anigbrowl]

How about making positive proposals of your own instead of negating everyone else's? Clearly many people find the existing rules and practices inadequate and propose heavy burdens of responsibility commensurate with the substantial incentives and rewards that accrue to success in business.

CEOs are not an oppressed class groaning under the burden of social structures that keep them locked up in the C-suite. Even if they are confronted with draconian penalties for naive misadventure, most CEOs of medium and large firms can afford A+ legal representation. If you're more worried about them than you are about the potential first and second-order effects upon tens or (in this case) hundreds of millions of people, then you are essentially choosing to be a pawn of the powerful.

[ryb73]

I think you're blowing grovegames' original post out of proportion — he asked some pretty reasonable questions.

[anigbrowl]

Of course they're reasonable. But problematic large scale data breaches are not a new problem. The last financial crisis was almost a decade ago, and yet we haven't developed a new culture of organizational responsibility since, despite the massive societal costs.

Not to make overly sweeping generalizations, but 'hold on, let's think through all the ramifications here instead of being too hasty' is a great way to maintain the status quo while avoiding any responsibility for it. Who benefits? It sure ain't the general public.

[sdenton4]

Indeed, lock up a couple CEOs and the others will feel a much stronger need to create better protections. Right?