[jeanvaljean2463]

Disclaimer: Not defending Marriott, as their Starwood Rewards/Marriott Rewards merger has been demonstrably one of the most epic, public IT integration failures that I've ever personally witnessed as a consumer bystander.

BLUF: I am a huge advocate of companies being fined on the basis of number of people affected and types of data leaked. This incentive to not be fined will be built into the formal or informal risk matrix that a company utilizes for decision making and these types of breaches will decline in number and severity from boneheaded mistakes. In the current model, the only incentive that exists is public embarrassment, but is quickly forgotten despite the incredible disclosures. ( See Equifax )

I know literally nothing about the internal state of their IT department but I suspect a great deal of it is likely outsourced and probably "least cost". From being a long time traveler ( over 1500 nights in Marriotts over the years ) I've seen their payment processing system go down, people remoting into public kiosks and typing plaintext passwords early in the morning, and (not so) hidden pages on their website that were intended for special promotions. As an example, their system that allows one to log into their "internet TV" account in-room to watch netflix will not purge account information at the end of a stay. I've checked in and seen other folks' Netflix splash pages when using the app. ( I always log them out as a courtesy, but suspect that others might not. )

All that being said, it's easy to point fingers and point out failures in hindsight. Every large company/government organization that I've served has similar failures, often not as public, but usually much more serious. In my own experience there is a usually a core contingent of competent tech workers/developers who are aware of the technical debt and attempt to bring it up to management to solve, but get shut down as "there is no reason to spend money on something that isn't driving revenue/mission". The easiest way to solve this would be to introduce fines tiered for the number, type of data, and period of non-disclosure for companies. ( i.e. Equifax breach should have been a historically large fine in this thought. This, while widespread, is not on quite the same plane, sans the passport numbers. ) I'm not a big believer that the federal government is an effective information technology provider, but this falls in the realm of public good, making it a better fit. Structure the organization in a similar fashion to NTSB or the FTA, where case officers lead investigations with teams who have no axe to grind with any particular organization and are screened for non-bias. ( Just the facts, ma'am ) This is currently a role being filled by industry security companies, but I would argue that there has been sufficient bias demonstrated that it should be removed from private industry and put in a public forum. Similar to how the NTSB operates, if an American company has global presence, regardless of the location or nature of the disclosure, the disclosure would be investigated in a similar fashion forensically. ( NTSB investigates airline crashes of American manufactured aircraft regardless of location in the world. ) With the ubiquitous use of syslog data and packet captures that most companies retain, these investigations should be fairly easy to handle; recognizing that in most cases, like airlines crashes, large scale IT failures such as breaches are usually a culmination of a series of failures and bad decisions over time rather than technically sophisticated attackers.

I hope that we start taking the current problems that face our burgeoning technical society a little more seriously rather than engaging in idle political artillery with little outcome for the public good. You know, public good, the thing that government is supposed to ensure through consent of the governed?

[cmurf]

I'm interested in a proposed value/penalty for individual and combinations of data. Even if it's a paper napkin approach.

Full name, probably not worth even a penny? Full name plus address plus phone? $0.05? Passport number alone? I have no idea, maybe zero, but full name + address + phone + passport + social? Could that be worth a $2 per instance for a fine?

What about direct compensation for the person whose information is leaked? I've read recommendations people should get new passports because such information can be used to track people's movements across borders https://i94.cbp.dhs.gov/I94/#/history-search

So what if the per instance is really worth $110 (base value to replace the passport)? If 100 million people are affected, that's $11 billion. Not including fine. The Starwood acquisition was $13 billion.

In other words, it could nearly bankrupt the company, if it weren't for the success companies (and markets too, really) have had at shifting the burden of breaches away from the company, an effectively freeloading.

[jacques_chester]

Australia has the "Notifiable Data Breaches Scheme" under its Privacy Act, which requires breaches to be reported to the government[0].

It doesn't have an investigatory/corrective framework like the NTSB (in Australia, the ATSB), but it's the first step towards one.

Australian policy on technology and civil liberties has generally been very poor in the past 2 decades, but the Privacy Act and surrounding policies have been one of the few bright points.

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-d...

[number-sequence]

I agree with the idea that fines based on the number of users affected makes a lot of sense. One question I have is how would you propose that number be calculated? In truth, I think the company whose data has been leaked should know exactly how many records have been leaked, but per-individual based fines create an incentive for them to underreport this number. Do you think that’s a problem, and if so, is there a good answer for how society could get an honest answer as to how many individuals are affected in a breach?

[jacques_chester]

> One question I have is how would you propose that number be calculated?

As a percentage of worldwide revenue on a sliding scale.

> In truth, I think the company whose data has been leaked should know exactly how many records have been leaked, but per-individual based fines create an incentive for them to underreport this number.

Very true, so triple damages for wilful underreporting and/or criminal sanctions for individuals.

[cobbzilla]

Idea: Create an incentive to overestimate — if the leaked data shows up online (pastebin/etc), and the volume of affected users is x% greater than the publicly disclosed figure, then fines are doubled (or go up by 3*x% or whatever).

[mike00632]

We might already have an example in HIPAA.

[coredog64]

When we’re talking about the payment card data that was exposed, I thought there was a mechanism to charge companies on risk. My understanding of PCI DSS is that you have regular audits, and if you fail those, the cost charged by card companies goes up.

IME, you can get away with quite a lot during the audit. You don’t have to be perfect, you just have to have a plan to fix what was found. I would guess that breached app was incorrectly classified as not in scope. PCI audits suck, and so there’s a huge incentive to classify your app/system as not in scope.

Do agree that the fine structure is what will get action. GDPR has raised the interest of making some improvements in how PII is managed.