[Kalium]

You're completely right. Every company has a basic, fundamental obligation to respect the human rights of their customers and partners to security and privacy. This is best manifested as taking reasonable measures to ensure that this basic human right is protected.

Now, there may be a wrinkle. When discussing nation-state grade actors, there's a very real possibility that they may attack in ways that cannot reasonably have been protected against by most private-sector security programs.

What are we to think, to do, to expect in such a scenario? To what extent should be expect any company, even a large and wealthy one, to successfully fend off the full might of a large and powerful nation-state's offensive information security apparatus?

Again, you're absolutely and unquestionably right. Companies can, should, and must take reasonable measures to protect the basic human rights of security and privacy. There just might be some room for subtlety when considering what reasonable measures can accomplish.

[dnbgfher]

Absolutely. I didn't mean to imply otherwise. I don't expect companies to be able to stand up to dedicated attention from a nation-state.

What I was trying to say was that that doesn't relieve them of their responsibilities to minimize the damage afterwards.

Just because they can't be expected to win doesn't mean they should be able to wash their hands of the whole affair without trying to help.

[Kalium]

What do you expect the outcome would be in a scenario where a company is living up their responsibilities to deploy reasonable measures, deploy defense in depth, and work to minimize the damage of a breach in the face of a sustained nation-state attack?

More to the point, in what ways are the companies allegedly breached failing to live up to their responsibilities to help minimize the damage of a breach? What should they do in a scenario where investigations may be ongoing and potentially involving law enforcement?