| HN Mirror

> ...demonstrating damages is difficult.

I still don't see how less than $5 per person who's data was compromised constitutes a reasonable settlement.

gtirloni 2523 days ago

Have you got better numbers?

Right here: https://news.ycombinator.com/item?id=20484328

tyre 2523 days ago

in addition to demonstrating harm, regulators really hate it if you defy them. Repeat offenses carry a significant penalty as you're seen to be thumbing your nose at them.

That's what's frustrating about most of Elon's crap. Don't test the patience of the SEC with _tweeting_. Put your phone away and save that social capital for when you actually need it.

FB is more strategic but still repeatedly misleads congress, the FCC, etc. After a while, they're sick of being made to look a fool. Notice that FB isn't getting the "trust us" benefit of the doubt with Libra (nor should they.)

Yes. The other most significant aggregator of data, Google, is by no means a saint in this space, but I think they would get a bit more "trust us" points than Facebook. Their settlement over childrens' privacy on the youtube platform is a salient example here. To my view, the rapid emergence of children vloggers turning it into a career and causing COPPA issues is probably something they should have twigged to earlier, but it doesn't smack of the blatant & extreme exploitation & carelessness of user data seen by Facebook. That said, Google is probably only one decent sized data scandal away from that territory, and hopefully takes FB's fine and increased scrutiny as instructive in being more careful themselves.

rudyfink 2523 days ago

Facebook's market cap is $566B (common stock) and Equifax's is $16.6B.

The ratio of market cap differences is about 34:1. If Facebook's fine is adjusted to Equifax's it would be a $22.1B fine instead of $5B.

So, from a market cap perspective Equifax's fine is ~4x Facebook's.

paulddraper 2523 days ago

I'm confused why that would have anything to do with it.

If you cause $100 in damages, you pay $100 (plus any punitive awards). Doesn't matter what your shares happen to be trading at that day.

jakelazaroff 2523 days ago

That's one way of looking at it. The other way is that companies should feel about equal pain relative to their sizes. Otherwise, big companies are able to gain an unfair advantage by just ignoring laws for which they can afford the fines.

AnthonyMouse 2523 days ago

> The other way is that companies should feel about equal pain relative to their sizes. Otherwise, big companies are able to gain an unfair advantage by just ignoring laws for which they can afford the fines.

Which doesn't make any sense and just gives them the incentive to play the same games they do in avoiding taxes.

The first reason it doesn't make sense is that the penalty should have some relation to the damages. If you cause $500 damage to someone else without their consent, screw you. But if the fine for that is $5000 per victim, it's a deterrent no matter how big you are, because $5000 is more than $500 (and provides a fair margin for the probability of not getting caught), and if the company is getting more than $500 in value from doing it then it could have just offered to pay the victim $501 to consent to allowing it, which implies that they're not.

Meanwhile if you don't think large corporations can move numbers around on a spreadsheet to minimize what they owe, you haven't been paying attention. And we sure as heck don't need a system where Equifax gets to put its risky business in one entity that has inconsequential revenues and then suffer a $10 total fine when it screws up this bad because whatever penalty percentage of almost nothing rounds to zero.

jakelazaroff 2523 days ago

Say companies A and B each cause $500 in damages. Company A makes $600 from that act, while Company B makes $6,000. A fine of $5,000 is way over the top for Company A, but Company B can just write it off as the cost of doing business.

As I've said elsewhere, I'm not advocating one particular method of coming up with this number. I'm just saying that the fine should depend on the company, not be a flat number based on damages caused.

paulddraper 2523 days ago

If the cost of damages (including a punitive 2x or whatever) is really and truly $500, and Company B is willing to make their victims whole at that cost...I'm 100% sure there's a problem that needs solving.

otakucode 2523 days ago

What you are talking about is called punitive damages. Punitive damages exist exactly for the purpose of causing financial pain to companies in order to give them actual incentive to change their behavior (since if it is profitable to kill people, companies will make killing people a standard operating practice, we have multiple proofs of this). No other type of damage is levied as punishment. Other types of damages are driven by actual recovery of damages.

Sabinus 2523 days ago

What does their ability to pay fines have to do with their share price? A % of profits or revenue would be more fair.

lostlogin 2523 days ago

Percentage of profits would be a terrible way to fine. Imagining how that could be messed with isn’t hard. Mysteriously there would be no profit and the follow few years worth of expenses would be pre-paid, spent or otherwise brought forward.

inlined 2523 days ago

And that’s why you charge a percent of revenue, not profit.

jakelazaroff 2523 days ago

Sure, I don't really have any opinion on the best way to measure the size of a company. I'm just espousing the principle of scaling the fine to their ability to pay.

%of profits it fraught with ways to hide profits. Even gross revenue can be gamed, albeit with less efficacy. More practical is something like X dollars per infraction, with the ability for regulating bodies to exert some professional judgement that lets them determine if the culprit's infractions were severe enough to let the per-infraction cost put them out of business all together.

Deimorz 2523 days ago

Because fines like this are often more about sending a message to the entire industry than simply about reimbursing damage. It's saying, "make sure you take security seriously, or you're risking us taking X% of your revenue/value".

If you don't do it this way, you end up in a situation similar to speeding tickets: well-off people don't care at all (and are even probably more annoyed about having their drive interrupted than the actual fine), but it can mean a poor person has to skip meals to recover. If the goal is discouraging a certain type of behavior overall, it has to hurt violators comparably, no matter their wealth.

> It's saying, "make sure you take security seriously, or you're risking us taking X% of your revenue/value".

I would believe that if these companies didn't just keep doing what they were doing anyway. Losing a percentage of revenue or profit for one year does nothing to deter them! We need to reinstate the corporate death penalty. Equifax deserves to die for its negligence, IMO.

Deimorz 2523 days ago

I agree with you; the fines are much too small. But the point is that they're too small for both Equifax and Facebook. Facebook's stock even went up because it was only a $5B fine!

The only way things will change is if the fines hurt more, but it needs to hurt the huge companies just as much as the small ones, otherwise it ends up just being another factor that helps keep the already-dominant companies at the top.

maccard 2523 days ago

Do you really believe that Facebook's stock went up because they "only" got a $5B fine?

Facebook's stock went up because they had a pending fine, and the value of the fine was announced, reducing uncertainty. Put another way, would you buy a car that has an unknown repair bill for the same price as a car you know how much it's going to cost to fix?

MisterBastahrd 2523 days ago

"You don't get to exist if you screw up that badly" is a great way to send a message to an industry. Sorry, but Equifax is in a position to be a gatekeeper for data of people who haven't asked or given direct permission for them to have it. They should have gotten the death penalty as a corporation and their remaining data should have been seized.

Well, that's the thing. FB didn't necessarily case $5B in damages, they broke the consent agreement. Actual damages might be, relative to the fine, minimal. It's hard to say how much monetary damage Equifax actually caused, but I thin it's not unreasonable for a primary tenet of setting fine levels the hurt, but aren't so punitive the the company must shutdown unless the activity was so egregious that a return to legitimate business may not even be possible or practical. Sort of like, in banking, the difference between leveling lots of fines on WellsFargo for their shenanigans but lettings Lehman Brothers just fail and go bankrupt. (I know, opinions differ on how these things should have gone down, and on whether Equifax should have been forced to wind down and parcel of its services to other entities. I'm just trying to explain why actual damages isn't always the sole consideration.)

shortandsweet 2523 days ago

Because you want to teach them a lesson, not put them out of business.

chii 2523 days ago

corporations are not people. They don't "learn lessons". They respond to incentives. If this breach didn't cost them dearly, but they still reaped any reward from having had the breach (e.g., saved money on security, and opt to pay the fine instead when they are breached), they will do it again in the future.

A fine is meant to deter as well as punish. If the fine is too small, it won't deter. And certainly if less than the profits earned, it can't punish, nor deter.

skybrian 2523 days ago

Corporations don't learn lessons, but people do. You want managers arguing for budget to prioritize security, or lawyers arguing for legal stuff, to be able to use this as a compelling example.

Losing $650 million is perhaps not quite as compelling a story as losing billions, or a smoking hole where a company used to be (as in Enron and Arthur Andersen). But it's a pretty big chunk of change. I have no experience making such arguments, but it seems plausible that it will be remembered for a while at Equifax and their competitors, at least?

I'm doubtful that people respond to such incentives rationally. It probably has more to do with how well the storyteller tells the story. And whether the thing they're selling actually works well for improving security seems pretty hit-and-miss, too.

dogsgobork 2523 days ago

Putting them out of business would teach them a lesson, one perhaps other companies might actually learn as well.

DaniloDias 2523 days ago

An eye for an eye makes the whole world blind.

bbrian 2523 days ago

I'm not sure that applies in the free market.

It seems less scofflaw companies aren't offered the chance to serve the same markets because criminal companies are let off too lightly.

MereInterest 2523 days ago

Again, why? The lesson is for the industry as a whole to learn, not for an individual company.

freeflight 2523 days ago

That's like saying society has a whole lot to learn but not individual humans.

kevin_thibedeau 2523 days ago

Installing government regulators on the board would teach their C-levels a lesson.

paulddraper 2522 days ago

I won't lose sleep about either one of those.

Primarily, I want my justice system to administer justice.

ericd 2523 days ago

Why not?

onetimemanytime 2523 days ago

or you file for bankruptcy...

harryh 2523 days ago

The FB fine was due to violating a previously existing consent decree with the FTC due to previous violations. The "2nd offense" nature of the offense probably contributed significantly to the higher number.

cameronbrown 2523 days ago

Probably because FB is politically charged, disliked by both parties, consumers and the wider industry. The fine represents the public's anger at large.

paulddraper 2523 days ago

And Equifax ISN'T?

cameronbrown 2523 days ago

Let's be honest, the average American barely knows what Equifax is.

Let's be even more honest: if they did know what Equifax is, what they do, and how long they've been doing it, they would certainly hate them more than Facebook.

Looks like you got downvoted a bit on this, but it's an excellent point. I fully think FB deserved what they got, and would not have balked at more. But Equifax, even with a fine higher than FB's relative to market cap, still seems to have gotten off lighter.

samstave 2523 days ago

" You're good, You're good, You're good, You're good, FUCK YOU IN PARTICULAR You're good, You're good, You're good,"

dd36 2523 days ago

Equifax offered free credit protection to mitigate damages.

stefco_ 2523 days ago

IIRC you had to agree not to join class action suits to take advantage. Seems like a pretty self-serving tactic given that we're the ones who have to deal with their idiocy.

recursive 2523 days ago

I got one of those letters. It seemed like a cruel joke to me. "We're sorry that we leaked all your personal data. But we have a great opportunity for you today! Send us some more personal data, and we'll monitor your file or something. For free! Trust us, it's gonna be great!"

hourislate 2523 days ago

I would imagine that Equifax was able to prove that they at least met the prudent man rule.

The prudent man rule which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. This rule, developed in the realm of fiscal responsibility, now applies to information security as well.

The intent was to patch the system but they experienced some sort of issue that prevented the timely action. From what I understand, you only have to show the courts that we tried to do the right thing and had the right intention.

Plus they aren't involved in any election scandals which certainly helps....

The one positive thing that came out of all this is that you can lock down your credit for free and open it again for free when you need to . Basically no one could ever open an account or credit card in your name if the offering party tries to run a credit report.

Assuming I buy your argument, to me, it just implies that the prudent man rule is inadequate here. Intent doesn't secure my data. As far as I'm concerned, they can intend in one hand and shit in the other and see which one fills up first. When the consequences of failure are the compromise of the financial lives of virtually every American adult, you need to be more than prudent about it.

Yes, intent minus execution equals some level of incompetence. Which (I guess?) is better than never having the intent to begin with, but it's sort of a distinction without a difference. "I wanted to fix my brakes but the brake shop was closed, that's why I got into a car crash" isn't really an endearing argument to the other parties involved or the regulators (Police in this case) that deal with the fallout.

Plus they aren't involved in any election scandals which certainly helps....

Yes, plus their perceived censoring of right-leaning content (real or imagined).

But between the election stuff and their attempt to setup a currency whose monetary policy would be governed by a group of wealthy corps and partly based in another country regulated by a foreign body... these are things that touch on the sovereignty of the US, and no government wants internal competition on that front.