[nostromo]

I actually don't think it needs to be criminal. We just need civil laws that make these kind of leaks incredibly costly.

Maybe liability for private information loss could be $10k a user. So, Equifax would owe the public 1.4 trillion dollars. Of course, they wouldn't be able to pay that, so the company would be chopped up into bits and sold for scrap.

I think that would catch more attention than some mid-level manager fall guy going to jail for six months, as would likely be the case with criminal proceedings.

[rl3]

While I tend to agree with catastrophically steep penalties, there are perhaps unintended consequences.

It wouldn't be hard for an APT type shop to breach just about any average corporation using an arsenal of private exploits, fuck with their security configuration to make it look like gross incompetence, and exfiltrate the data to some seemingly-amateur front organization that actually leaks it.

End result is you could have foreign actors knocking out their country's competition abroad, using their competitor's laws to do so. Not ideal.

Maybe some determination would have to be made to avoid that, like a judgement rendered on the corporate culture. For example, is it obviously a cesspool of incompetence just in a general sense? Great, burn the company down.

Does the company custom-design their own ARM hardware to at least have a fighting chance vs APT-type threats? Maybe they did everything they reasonably could in that case. You could also argue smaller companies did everything they could even if they don't have the resources for that, provided there's not rampant incompetence.

[r00fus]

Well, it could be in the case where it looked like sabotage, I'd expect the victim company to go to great lengths to prove it (ie, evidence to the contrary, etc). It probably wouldn't be that hard.

In this case, it was a spyware company. Seems almost fitting that they'd be unconcerned about securing data that was essentially tricked/stolen from their users.

[rl3]

If the APT is good enough, you're talking forensically not provable.

[macintux]

You missed step 0 in this scenario where steep penalties are the default: short the stock.

[rl3]

The market will overlook anything if the company is still profitable. That's where regulatory penalties shine.

[jschwartzi]

More importantly it punishes the organization for something that is an organizational failing, whereas jailing an individual system administrator for a data breach punishes the individual for the incompetency of their superiors.

[Tade0]

Maybe liability for private information loss could be $10k a user.

Or maybe up to 4% of the company's revenue.

[amonavis]

Up to 4% of the company's revenue doesn't solve much. Depending on the sector, 4% of revenue (are we talking EBITDA?) may potentially be less than a slap on the wrist, and internally middle-management will take the blame for the reduction in sales margin/operating profit.

[lmkg]

The above comment is almost certainly a reference to GDPR, for which the maximum penalty for malicious non-compliance is "up to 4 % of the total worldwide annual turnover." It is not net income or profit or EBIDTA or anything else that subtracts operating cost, it is revenue.

[reitanqild]

Parent said revenue, not EBITDA.

[SmellyGeekBoy]

Strange how anti-GDPR HN is... Until something like this happens.

[r00fus]

It's almost like this is a disparate community of people with widely varying opinions on a rather important and controversial implementation...

[notyourwork]

How does GDPR help with this situation? It is unclear to me.

[reitanqild]

This is what GDPR is for AFAIK.

IMO all the cookie warnings we see are just misguided attempts to ignore it and continue more or less like before and should probably not save anyone in court, again if I've understood it correctly.

[chooseaname]

4%? That just means worker bees won't be getting a raise this year.

[icebraining]

If they can keep the worker bees without giving them a raise, why do they?

[Cowicide]

Up to 4%? Wouldn't that simply be considered cost of business for some corporations? Pay less in security, etc. and just consider the 4% a smaller tax of sorts?

[lifeisstillgood]

It is highly unlikely that the chairman and ceo of any corporation that was found guilty under GDPR and had to pay 4% would survive.

Few bank CEOs have survived the various "we will get some payback for 2008" fines over the years.

If you want to change corporate culture, you don't need to destroy the company, just hold a gun to the head of each CEO and see how fast they make sure everyone else dances.

This is one of the best things about Sarbane-Oxley - the CEO actually signs off the accounts and will go to jail if the accounts are misleading. so guess what has had top priority at banks across the globe?

[Tade0]

Sorry I meant to add per case, as it is in GDPR.

[Cowicide]

I see, thank you for the clarification.

[Angostura]

Does this company operate in Europe, if so GDPR is exactly the kind of thing that would make this incredibly costly.

[dmitrygr]

Unfortunately, one of those chopped up pieces being sold will be the user data they have. :(

[rhizome]

In the US, I'm highly pessimistic that any law that gave people a private right of action against basically any company that touches their data would ever pass without large and noticeable changes to the business and legal landscapes.

[briandear]

But the person affected should get the money, not the government.

[jstarfish]

While that's fair, it should actually be the other way around.

Let the government keep the money. They'll be more inclined to actually enforce the law. We see how aggressively they police drugs when they stand to benefit from civil asset forfeiture.

[vtange]

This would incentivize people to dish out private information on insecure platforms for the sole purpose of baiting compensation.