I actually don't think it needs to be criminal. We just need civil laws that make these kind of leaks incredibly costly.
Maybe liability for private information loss could be $10k a user. So, Equifax would owe the public 1.4 trillion dollars. Of course, they wouldn't be able to pay that, so the company would be chopped up into bits and sold for scrap.
I think that would catch more attention than some mid-level manager fall guy going to jail for six months, as would likely be the case with criminal proceedings.
While I tend to agree with catastrophically steep penalties, there are perhaps unintended consequences.
It wouldn't be hard for an APT type shop to breach just about any average corporation using an arsenal of private exploits, fuck with their security configuration to make it look like gross incompetence, and exfiltrate the data to some seemingly-amateur front organization that actually leaks it.
End result is you could have foreign actors knocking out their country's competition abroad, using their competitor's laws to do so. Not ideal.
Maybe some determination would have to be made to avoid that, like a judgement rendered on the corporate culture. For example, is it obviously a cesspool of incompetence just in a general sense? Great, burn the company down.
Does the company custom-design their own ARM hardware to at least have a fighting chance vs APT-type threats? Maybe they did everything they reasonably could in that case. You could also argue smaller companies did everything they could even if they don't have the resources for that, provided there's not rampant incompetence.
Well, it could be in the case where it looked like sabotage, I'd expect the victim company to go to great lengths to prove it (ie, evidence to the contrary, etc). It probably wouldn't be that hard.
In this case, it was a spyware company. Seems almost fitting that they'd be unconcerned about securing data that was essentially tricked/stolen from their users.
More importantly it punishes the organization for something that is an organizational failing, whereas jailing an individual system administrator for a data breach punishes the individual for the incompetency of their superiors.
Up to 4% of the company's revenue doesn't solve much. Depending on the sector, 4% of revenue (are we talking EBITDA?) may potentially be less than a slap on the wrist, and internally middle-management will take the blame for the reduction in sales margin/operating profit.
The above comment is almost certainly a reference to GDPR, for which the maximum penalty for malicious non-compliance is "up to 4 % of the total worldwide annual turnover." It is not net income or profit or EBIDTA or anything else that subtracts operating cost, it is revenue.
IMO all the cookie warnings we see are just misguided attempts to ignore it and continue more or less like before and should probably not save anyone in court, again if I've understood it correctly.
Up to 4%? Wouldn't that simply be considered cost of business for some corporations? Pay less in security, etc. and just consider the 4% a smaller tax of sorts?
It is highly unlikely that the chairman and ceo of any corporation that was found guilty under GDPR and had to pay 4% would survive.
Few bank CEOs have survived the various "we will get some payback for 2008" fines over the years.
If you want to change corporate culture, you don't need to destroy the company, just hold a gun to the head of each CEO and see how fast they make sure everyone else dances.
This is one of the best things about Sarbane-Oxley - the CEO actually signs off the accounts and will go to jail if the accounts are misleading. so guess what has had top priority at banks across the globe?
In the US, I'm highly pessimistic that any law that gave people a private right of action against basically any company that touches their data would ever pass without large and noticeable changes to the business and legal landscapes.
While that's fair, it should actually be the other way around.
Let the government keep the money. They'll be more inclined to actually enforce the law. We see how aggressively they police drugs when they stand to benefit from civil asset forfeiture.
If Equifax breach didn't send anyone to jail, nothing will. A breach the size of Equifax should have followed with massive fines and possibly even killed the company but nothing happened.
Nothing happened because it's very difficult to assess damages of personal information.
For example, if a health insurer the size of Equifax lost the equivalent amount of HIPAA related information due to negligence, you can sure bet there would be penalties. That's because HIPAA related info has legally defined protections.
As it is, calculating the damages of releasing your equifax info is a speculative guess at best, which is why at most you got to lock access or ID fraud protection.
> Nothing happened because it's very difficult to assess damages of personal information.
It's also very difficult to assess damages of copyright violations... and so the companies that had it in their interest to get this working pushed for statutory damages.
Which is why damages for this negligence should have statutory minimums. $10,000 mentioned elsewhere in this thread is a nice round number. If given a sufficient period to fix their shit (a year?), no one can complain that they've been harmed by such a requirement. I've seen this in contracts, which said basically, "since it will take years for a court to assess damages if you do this awful thing you agree not to do, we stipulate here that the damages will be $X instead."
Nothing happened because it's very difficult to assess damages of personal information.
It's interesting that you bring up health insurance, because that's an industry that definitely knows how to calculate the value of various pieces of personal information.
The concept of "I doubt you'd hear any competent IT director ever say they won't experience data breaches in the future." should tell you why we don't send people to jail for this type of thing. 100% prevention of breaches cannot be guaranteed ever [due to the infinite number of failure points in software and hardware as we've seen with the recent CPU hardware bugs, etc] so jailing IT people for breaches would only stop once every IT person was in jail because they didn't notice a line of code in millions of lines of code.
There should be some level of competence of course, leaving things wide open doesn't seem safe, lol.
It's about taking a reasonable level of security practice, like you said "some level of competency required."
We require this of our bridges, and our roads, and our buildings. I'm not sure why we don't for our personal information assets. Arguably the Equifax hack will cause far greater economic loss than, say, a hole in the middle of mission street opening up due to lack of review by a civil engineer, so I don't get it.
Is it because politicians are uneducated technically? We didn't have good fire law in America until a room full of seamstresses burned to death when the single exit was blocked off, do we need something similar for infosec? Equifax SHOULD have been that but whoever breached it didn't release yet (as far as I know) so maybe nobody is feeling the pain yet.
It would certainly be good to have some professionalism imposed at critical junctures.
I don't think criminal penalties are appropriate but civil penalties for data breaches should simply have no limit, the possibility of shareholders and debtors forfeiting all value should be included.
At the same time, the problem is "professionalization".
The problem of when one needs "real software engineering" is incredibly hard to solve. It's an incredibly fuzzy line and any organization would have a strong incentive to be on the cheaper, non-professional end of the line.
Only when the outrage gets loud enough to affect their chances for reelection (which happens with a lot of issues, just not this one).
Unfortunately, Hackernews seems to be the only place where security is taken seriously. Probably because we understand the severe collective risks involved to everything from banking to healthcare whereas most people as individuals don't care if say, their credit card number is stolen, since they aren't liable for fraud. It's hard to see the bigger picture if you aren't technical.
I don't think it's fair to say only this website takes it seriously, though perhaps this website is a good cross-section of people that do seem to take it seriously. You can also find those people on reddit, twitter, lesswrong, IRC, etc.
The question is, who's failing to make the whole WORLD care about it? Or at the very least, the politicians? I can count on shitty lobbyists at least ensuring that, like, the economy doesn't fucking burn us alive, because they lose money when that happens. Why aren't the fatcats also getting that about netsec? If the NYSE gets hacked, they stand to lose a lot of money. If someone opens the hoover dam gates through a hack, that's a lot of money lost. We can ignore the morality and privacy issues, and just speak their $$$language$$$ here, and it still doesn't make a lick of sense that politicians aren't eviscerating Equifax right now.
So, are we supposed to like, lobby sense into their heads? I mean, why? Because we're patriots? I guess?
Then again I've got motorcycle riding friends in Houston that don't wear their helmets, and I still have to force people in my backseat to buckle up sometimes, so I don't even know. Why don't people take any kind of safety seriously?
Exactly. Yes these issue can be somewhat hard to understand for non security folks, but everyone can get the basics.
1. Do you have sensitive information?
2. Is a Password required to access that information?
3. Is that password set to "password" or something else that would be trivially easy to guess.
It's like saying it's not your fault if a hacker takes extraordinary measures to tunnel into your house from below ground. But it is your responsibility to at least shut your front door.
Equifax, like many Fortune-N companies, has a heavily funded sales and PR team working actively against your individual research.
Should you, as an individual, apply to a company or attempt to buy a product that has been “sold” the Equifax product suite, you’re still beholden to Equifax services(or leave without the job or house).
You’re effectively stuck, unless you have the resources(time/money) to look for employers or products that stay away from Equifax.
> Should you, as an individual, apply to a company or attempt to buy a product that has been “sold” the Equifax product suite, you’re still beholden to Equifax services(or leave without the job or house).
Worse, there's pretty much no way to tell to which companies and products this applies.
This isn't some fast food restaurant poisoning its customers. None of Equifax's "customers" got screwed by their data leak, only the targets of their "product" caught the ramifications.
The best part about the Equifax breach is that the people whose data was released weren't even the customers. Pretty hard to stop doing business if there wasn't any in the first place.
Don't do business with them is a bogus missive, but you could lock your credit with all the agencies and only unlock the agencies you care to do business with when requested. But that often makes things difficult and not all users of that data will have an account with an alternative provider. (nor is the locked access the only product for which your data is offered...)
You could make sure you put on all loan applications that they will not check Equifax. Probably they won't even know how to handle that though and will either reject you, or ignore it.
And in practice, we also don´t have completely free markets, and even if we did, it´s highly unlikely that they would function the way current economic theory believes that they would.
We haven't had a lot of politicians that have been pro-human/worker/consumer rights in a while. We got a consumer regulatory agency. But when did you see them push back against actual troublemakers.
The consumer protection agency in the US was making great strides in pushing back against many bad players, including predatory lenders. Then the republicans gutted and defunded it, ending many investigations and siding with the scum feeding off the poor.
If we take the Equifax breach as an example here, and every person affected sued for even a very modest amount (say $10) and everyone wins their cases then we come to something like $1.5bn in damages, plus legal costs. Sure, that will probably work in that $10 is a gross underestimate, Equifax's market cap is ~$15bn, and their legal costs defending that many cases would be significant.
However, consider that it is very likely a small minority of those ~150m affected people are actually in a position to spend the time, money, and effort in actually suing and you end up in exactly the position you are now: Equifax doing fine and suffering no penalty for their actions. Class action suits aren't really a better suggestion either because they are typically settled for pennies-on-the-dollar, with the lion's share going to the lawyers anyway.
Suing might make sense where there's a small number of affected people, or where the damages per person are much higher, but when we're talking less than $1,000 damages per person it's really just not worth each individual's time or money to do so. This is _exactly_ the kind of thing regulation is good at protecting against.
Things are actually even worse than you describe. There's been constant action to restrict the use of class-action lawsuits and move towards arbitration instead.
Class-action lawsuits are the best tool we have -- even if the money each individual gets as part of a settlement is a pittance, in aggregate they do give companies at least some disincentive for unethical/illegal conduct.
While I don't disagree that they're effective, I'd say "best" is not true. They're not any more effective than (enforced) regulation. The only difference is where the money ends up -- private sector lawyer pockets or the public coffers. All else being equal, I'd rather the latter.
Good luck suing Equifax because you couldn't buy a home with a mortgage because Equifax had a record of you having a "low credit score" using data they collected on you that you didn't consent to. The data Equifax collects on you is both damaging and non-consensual.
Assuming the data collected are not in error, you mostly did consent to it. Read the fine print of any lease, loan, or other credit agreement. They almost all say they will report payment history (particularly late or non-payment) to credit bureaus.
They almost all say they will report payment history (particularly late or non-payment) to credit bureaus.
If that was the only data reported to credit bureaus, that would be great.
But "reputation data" is increasingly becoming important in this sphere. Are you Facebook friends with people with a low credit score? Do you drive through a dodge neighborhood on the way to work? Do you watch the wrong kinds of movies? Buy liquor? Stream the wrong shows?
It's all up for grabs, and with the "credit score" formulae locked up as trade secrets, there's no way to determine if your mortgage denial was because you were one day late with a cell phone bill, or because you stop at a red light next to a pawn shop enough times that your phone thinks you're a regular customer.
The FCRA gives you the right to know what is in your file
In addition, the FCRA gives you the following rights (not inclusive):
-You must be told if information in your file has been used against you. Anyone who uses a credit report or another type of consumer report to deny your application for credit,
insurance, or employment – or to take another adverse action against you – must tell you, and must give you the name, address, and phone number of the agency that provided the
information.
-You have the right to dispute incomplete or inaccurate information
-Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information.
-Consumer reporting agencies may not report outdated negative information. In most cases, a consumer reporting agency may not report negative information that is more than
seven years old, or bankruptcies that are more than 10 years old
"Speech should be free and unlimited!!!.... Well, unless the topic of the speech is me, then I should be able to control 100% what what other people are saying about me, of course."
How you gonna sue someone for saying things about you that are true? That's not a thing (for good reason). Would you also sue a friend if you borrowed money from them and didn't pay it back and they warned others not to lend to you? Imagine how much a judge would laugh if you showed up to court saying "I didn't get a mortgage because I have a history of not paying my bills, I deserve compensation."
Nonsensical.
That's ignoring the fact that you actually consent to data sharing as a condition of obtaining credit products. And that's a reasonable condition with a business justification.
In the US it's politically infeasible to have any sort of government agency to collect this information, so it falls on the shoulders of private companies.
The data Equifax has on me is the exact opposite of "damaging." Because of data sharing I'm eligible for a broad range of credit products that I have gotten tens of thousands of dollars in value from. On top of that the information they collect about me allows me to pay a very small premium for car and home owner's insurance.
> Hacker News be like: "Speech should be free and unlimited!!!.... Well, unless...
This isn't a real argument unless you can show that the one person you're actually responding to has held both these positions. This is just a forum where a bunch of people opine; it's not a political party with a documented set of beliefs.
I think you overestimate the abilities of “certified AWS Architects”. You can get one without ever logging into AWS. At least for the “Architect Associate”. You could probably get away without any practical experience for the Developer Associate. By the time I got that one though, I had practical experience.
I did just that. I was a “software architect” for a company that was completely on prem that was moving to the cloud. Before I actually started working with AWS, I actually wanted to do it correctly and wanted an overview of the services offered.
For $reasons, I left that company about a year ago before ever touching the AWS console, and based partially on my “certificate”, I got another job and was given admin access to AWS. I spent the next year actually getting practical experience.
Maybe liability for private information loss could be $10k a user. So, Equifax would owe the public 1.4 trillion dollars. Of course, they wouldn't be able to pay that, so the company would be chopped up into bits and sold for scrap.
I think that would catch more attention than some mid-level manager fall guy going to jail for six months, as would likely be the case with criminal proceedings.