If Equifax breach didn't send anyone to jail, nothing will. A breach the size of Equifax should have followed with massive fines and possibly even killed the company but nothing happened.
Nothing happened because it's very difficult to assess damages of personal information.
For example, if a health insurer the size of Equifax lost the equivalent amount of HIPAA related information due to negligence, you can sure bet there would be penalties. That's because HIPAA related info has legally defined protections.
As it is, calculating the damages of releasing your equifax info is a speculative guess at best, which is why at most you got to lock access or ID fraud protection.
> Nothing happened because it's very difficult to assess damages of personal information.
It's also very difficult to assess damages of copyright violations... and so the companies that had it in their interest to get this working pushed for statutory damages.
Which is why damages for this negligence should have statutory minimums. $10,000 mentioned elsewhere in this thread is a nice round number. If given a sufficient period to fix their shit (a year?), no one can complain that they've been harmed by such a requirement. I've seen this in contracts, which said basically, "since it will take years for a court to assess damages if you do this awful thing you agree not to do, we stipulate here that the damages will be $X instead."
Nothing happened because it's very difficult to assess damages of personal information.
It's interesting that you bring up health insurance, because that's an industry that definitely knows how to calculate the value of various pieces of personal information.
The concept of "I doubt you'd hear any competent IT director ever say they won't experience data breaches in the future." should tell you why we don't send people to jail for this type of thing. 100% prevention of breaches cannot be guaranteed ever [due to the infinite number of failure points in software and hardware as we've seen with the recent CPU hardware bugs, etc] so jailing IT people for breaches would only stop once every IT person was in jail because they didn't notice a line of code in millions of lines of code.
There should be some level of competence of course, leaving things wide open doesn't seem safe, lol.
It's about taking a reasonable level of security practice, like you said "some level of competency required."
We require this of our bridges, and our roads, and our buildings. I'm not sure why we don't for our personal information assets. Arguably the Equifax hack will cause far greater economic loss than, say, a hole in the middle of mission street opening up due to lack of review by a civil engineer, so I don't get it.
Is it because politicians are uneducated technically? We didn't have good fire law in America until a room full of seamstresses burned to death when the single exit was blocked off, do we need something similar for infosec? Equifax SHOULD have been that but whoever breached it didn't release yet (as far as I know) so maybe nobody is feeling the pain yet.
It would certainly be good to have some professionalism imposed at critical junctures.
I don't think criminal penalties are appropriate but civil penalties for data breaches should simply have no limit, the possibility of shareholders and debtors forfeiting all value should be included.
At the same time, the problem is "professionalization".
The problem of when one needs "real software engineering" is incredibly hard to solve. It's an incredibly fuzzy line and any organization would have a strong incentive to be on the cheaper, non-professional end of the line.
Only when the outrage gets loud enough to affect their chances for reelection (which happens with a lot of issues, just not this one).
Unfortunately, Hackernews seems to be the only place where security is taken seriously. Probably because we understand the severe collective risks involved to everything from banking to healthcare whereas most people as individuals don't care if say, their credit card number is stolen, since they aren't liable for fraud. It's hard to see the bigger picture if you aren't technical.
I don't think it's fair to say only this website takes it seriously, though perhaps this website is a good cross-section of people that do seem to take it seriously. You can also find those people on reddit, twitter, lesswrong, IRC, etc.
The question is, who's failing to make the whole WORLD care about it? Or at the very least, the politicians? I can count on shitty lobbyists at least ensuring that, like, the economy doesn't fucking burn us alive, because they lose money when that happens. Why aren't the fatcats also getting that about netsec? If the NYSE gets hacked, they stand to lose a lot of money. If someone opens the hoover dam gates through a hack, that's a lot of money lost. We can ignore the morality and privacy issues, and just speak their $$$language$$$ here, and it still doesn't make a lick of sense that politicians aren't eviscerating Equifax right now.
So, are we supposed to like, lobby sense into their heads? I mean, why? Because we're patriots? I guess?
Then again I've got motorcycle riding friends in Houston that don't wear their helmets, and I still have to force people in my backseat to buckle up sometimes, so I don't even know. Why don't people take any kind of safety seriously?
Exactly. Yes these issue can be somewhat hard to understand for non security folks, but everyone can get the basics.
1. Do you have sensitive information?
2. Is a Password required to access that information?
3. Is that password set to "password" or something else that would be trivially easy to guess.
It's like saying it's not your fault if a hacker takes extraordinary measures to tunnel into your house from below ground. But it is your responsibility to at least shut your front door.
For example, if a health insurer the size of Equifax lost the equivalent amount of HIPAA related information due to negligence, you can sure bet there would be penalties. That's because HIPAA related info has legally defined protections.
As it is, calculating the damages of releasing your equifax info is a speculative guess at best, which is why at most you got to lock access or ID fraud protection.