[repolfx]

In practice fining companies for getting hacked just boils down to a tax, as no company wants to be hacked, and the primary bottleneck to making software more secure is crap tools, crap platforms, poor training and inability to hire people who deeply understand security.

Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".

[kinsomo]

> In practice fining companies for getting hacked just boils down to a tax, as no company wants to be hacked

No, it boils down to an incentive. No company wants to get hacked, but a lot those same companies aren't willing to invest in security measures and training that could mitigate the risk.

> Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".

I don't think anyone's proposing a regulation like that. However, it's not fair to put the costs of a data-theft squarely on the victims, when it was really the company that was responsible for securing the data.

[repolfx]

But companies that do invest massively still get hacked. See: Google. Yahoo. Microsoft.

It's also not even always clear what hacking actually means. A common way users get hacked is by reusing the same password on every website. One of those small sites gets hacked, the hackers try the users password at bigger sites to see if they work. Big players like Google and Facebook have heuristic systems that try to detect and block that, but sometimes they don't work.

So who's at fault then? The user for losing control of their password? The small site, probably not EU based, doesn't give a shit? Or the big guys who tried to protect the user but failed? Given the way the GDPR is being done my guess is the big guys will get taken to the cleaners even though they did nothing wrong.

Basically, you can't stop a big company from getting hacked no matter how much you spend on security.

[kinsomo]

> Basically, you can't stop a big company from getting hacked no matter how much you spend on security.

I never said anything to the contrary, but the observation is irrelevant. You can't stop all pollution, but that doesn't mean you shouldn't pass regulations that ether ban it or impose liability for it.

[repolfx]

That's an invalid metaphor. The point behind regulating specific types of pollution and fining companies that emit it is in fact to completely eliminate it. When total elimination isn't possible regulators have taken alternative approaches, like phase outs and carbon trading schemes.

The GDPR authors appear to believe that not being hacked is merely a matter of choice, despite all evidence to the contrary. They are clearly dangerously delusional. If even Google, with its pick of the crop, unlimited budget and massive security team, cannot avoid being hacked, then nobody else has a chance.

[DanBC]

Regulators don't care if you're hacked.

What they care about is how much data you had (and did you need all of it), did you tell the users, have you put things right, had you done anything to protect the data?

If you have a lump of data that you don't need, that you store with no attempt at encryption, and it's held behind software that you haven't bothered to update even though security patches have been released then yes, you're going to be regulated.

[closeparen]

> it was really the company that was responsible for securing the data

It was the financial industry and government that were responsible for implementing an identity scheme with a less insane architecture than handing the same secret material to every relying party. I disagree that we can or should force everyone to tie themselves in knots supporting it.

[closeparen]

You say that, but what are the attack vectors in these high-profile breaches?

- Unpatched, publicly documented vulnerabilities.

- Unauthenticated S3 buckets.

- Unencrypted laptops.

- Default passwords.

This isn't subtle crypto weaknesses or attack vectors missed in the security assessment of protocol designs. It's carelessness. It's stuff that any high school kid who's good with computers will tell you about, let alone any IT professional or software engineer.

[repolfx]

And the entrypoint when Google got hacked by the Chinese was Internet Explorer 6.

People who think defending networks is merely a matter of choosing not to get hacked have clearly never tried to do it.

[pawelk]

> Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".

It doesn't say "don't get hacked", it says "if (when?) you get hacked, minimize the the cost to people who trusted you with their data". And the easy way to conform is: 1. do not collect more than you need to provide the service, and 2. do not keep the data you don't need any more just in case. Which should be the default, but in the world of cheap storage and data mining seems to be forgotten, or an afterthought. E.g. when a user unsubscribes we tend to set the flag "subscribed" to false next to the rest of their data, instead of removing the e-mail address we don't need.