[maxsilver]

> The correct response should have been for credit card holders to sue their credit card companies

Why? Why should it be the victims job to find and prosecute criminals?

Should victims also be responsible for breaking up monopolies? Or cleaning up oil spills? Or to keep hospital patient records private? How much time and money should victims be required to invest in lawsuits, to bring justice against illegal mistakes made by entities with thousands of people and million/billions of dollars?

Wouldn't it be better if we had government agencies draft and strictly enforce regulations to prevent this. Like say, an EPA for environment, or HIPAA for healthcare, or GDPR for consumer/business data?

[wpietri]

Whether it would be better is a really interesting question.

For this specific case, I think energetically enforced regulation would be clearly better. But in general, I'm not so sure. The American system of "let people do what they want; if there's harm, they can sue" allows a lot more room for innovation than a system of up-front regulation.

I think the difference for me lies in the extent to which an issue is a) in a stable context, b) causes significant harm, and c) is unlikely to be fixed through market mechanisms or self regulation.

Here, since consumer privacy is basically an externality to these companies and the market is an oligopoly, I think stronger regulation is a pretty good bet. But in general I think private right of action is underappreciated. Especially class action suits, which aren't burdensome for most plaintiffs.

[Aeolun]

I think the problem with that strategy is that harm is generally done on a large scale until someone prevents it from continuing.

[wpietri]

Well, generally it isn't. Most businesses go along doing good things for their customers and getting paid in return. Really, given the way that the Internet has changed everything, we've had surprisingly few major problems.

As a tiny example, look at phone calls. They used to be absurdly expensive. In college I remember having phone bills costing ~30 hours of (minimum-wage) labor. Now it would be hard to explain to an 18-year-old what a long-distance call even was. These days I have effectively unlimited calling from anywhere to anywhere via a handheld device that costs ~7 hours of (minimum-wage) labor/month, and I see lower-cost vendors that provide it for ~4 hours/month.

If we had taken a regulation-first approach, where each new service had to get regulatory approval, I could imagine us still being stuck in the old paradigm, where each phone call had to go through a monopoly operator, and things like Skype were illegal. Or maybe we'd be part-way along the curve, but with incumbents pushing to increase regulatory burden and hobble startups.

So I agree the problem with a default-permit model is that you have more problems to fix, and some can be big. But the problem with a default-deny model is that you miss out a lot of gains. And those, being hypothetical, are easy to underweight against the benefits of the status quo.

[johannes1234321]

> Wouldn't it be better if we had government agencies draft and strictly enforce regulations to prevent this. Like say, an EPA for environment, or HIPAA for healthcare, or GDPR for consumer/business data?

Yes! Since the state enforcing this creates a legal threat. If the individual has to prosecute there is a good chance that nobody comes after them, making it viable from the companies position to be a bit too relaxed. If the state strictly goes after it the risk calculation is different.

[cityzen]

Yes, it would, but our government agencies and officials are paid by Equifax to NOT draft and strictly enforce regulations to prevent this.