That's one way of looking at it. The other way is that companies should feel about equal pain relative to their sizes. Otherwise, big companies are able to gain an unfair advantage by just ignoring laws for which they can afford the fines.
> The other way is that companies should feel about equal pain relative to their sizes. Otherwise, big companies are able to gain an unfair advantage by just ignoring laws for which they can afford the fines.
Which doesn't make any sense and just gives them the incentive to play the same games they do in avoiding taxes.
The first reason it doesn't make sense is that the penalty should have some relation to the damages. If you cause $500 damage to someone else without their consent, screw you. But if the fine for that is $5000 per victim, it's a deterrent no matter how big you are, because $5000 is more than $500 (and provides a fair margin for the probability of not getting caught), and if the company is getting more than $500 in value from doing it then it could have just offered to pay the victim $501 to consent to allowing it, which implies that they're not.
Meanwhile if you don't think large corporations can move numbers around on a spreadsheet to minimize what they owe, you haven't been paying attention. And we sure as heck don't need a system where Equifax gets to put its risky business in one entity that has inconsequential revenues and then suffer a $10 total fine when it screws up this bad because whatever penalty percentage of almost nothing rounds to zero.
Say companies A and B each cause $500 in damages. Company A makes $600 from that act, while Company B makes $6,000. A fine of $5,000 is way over the top for Company A, but Company B can just write it off as the cost of doing business.
As I've said elsewhere, I'm not advocating one particular method of coming up with this number. I'm just saying that the fine should depend on the company, not be a flat number based on damages caused.
If the cost of damages (including a punitive 2x or whatever) is really and truly $500, and Company B is willing to make their victims whole at that cost...I'm 100% sure there's a problem that needs solving.
What you are talking about is called punitive damages. Punitive damages exist exactly for the purpose of causing financial pain to companies in order to give them actual incentive to change their behavior (since if it is profitable to kill people, companies will make killing people a standard operating practice, we have multiple proofs of this). No other type of damage is levied as punishment. Other types of damages are driven by actual recovery of damages.
Percentage of profits would be a terrible way to fine. Imagining how that could be messed with isn’t hard. Mysteriously there would be no profit and the follow few years worth of expenses would be pre-paid, spent or otherwise brought forward.
Sure, I don't really have any opinion on the best way to measure the size of a company. I'm just espousing the principle of scaling the fine to their ability to pay.
%of profits it fraught with ways to hide profits. Even gross revenue can be gamed, albeit with less efficacy. More practical is something like X dollars per infraction, with the ability for regulating bodies to exert some professional judgement that lets them determine if the culprit's infractions were severe enough to let the per-infraction cost put them out of business all together.
Because fines like this are often more about sending a message to the entire industry than simply about reimbursing damage. It's saying, "make sure you take security seriously, or you're risking us taking X% of your revenue/value".
If you don't do it this way, you end up in a situation similar to speeding tickets: well-off people don't care at all (and are even probably more annoyed about having their drive interrupted than the actual fine), but it can mean a poor person has to skip meals to recover. If the goal is discouraging a certain type of behavior overall, it has to hurt violators comparably, no matter their wealth.
> It's saying, "make sure you take security seriously, or you're risking us taking X% of your revenue/value".
I would believe that if these companies didn't just keep doing what they were doing anyway. Losing a percentage of revenue or profit for one year does nothing to deter them! We need to reinstate the corporate death penalty. Equifax deserves to die for its negligence, IMO.
I agree with you; the fines are much too small. But the point is that they're too small for both Equifax and Facebook. Facebook's stock even went up because it was only a $5B fine!
The only way things will change is if the fines hurt more, but it needs to hurt the huge companies just as much as the small ones, otherwise it ends up just being another factor that helps keep the already-dominant companies at the top.
Do you really believe that Facebook's stock went up because they "only" got a $5B fine?
Facebook's stock went up because they had a pending fine, and the value of the fine was announced, reducing uncertainty. Put another way, would you buy a car that has an unknown repair bill for the same price as a car you know how much it's going to cost to fix?
"You don't get to exist if you screw up that badly" is a great way to send a message to an industry. Sorry, but Equifax is in a position to be a gatekeeper for data of people who haven't asked or given direct permission for them to have it. They should have gotten the death penalty as a corporation and their remaining data should have been seized.
Well, that's the thing. FB didn't necessarily case $5B in damages, they broke the consent agreement. Actual damages might be, relative to the fine, minimal. It's hard to say how much monetary damage Equifax actually caused, but I thin it's not unreasonable for a primary tenet of setting fine levels the hurt, but aren't so punitive the the company must shutdown unless the activity was so egregious that a return to legitimate business may not even be possible or practical. Sort of like, in banking, the difference between leveling lots of fines on WellsFargo for their shenanigans but lettings Lehman Brothers just fail and go bankrupt. (I know, opinions differ on how these things should have gone down, and on whether Equifax should have been forced to wind down and parcel of its services to other entities. I'm just trying to explain why actual damages isn't always the sole consideration.)
corporations are not people. They don't "learn lessons". They respond to incentives. If this breach didn't cost them dearly, but they still reaped any reward from having had the breach (e.g., saved money on security, and opt to pay the fine instead when they are breached), they will do it again in the future.
A fine is meant to deter as well as punish. If the fine is too small, it won't deter. And certainly if less than the profits earned, it can't punish, nor deter.
Corporations don't learn lessons, but people do. You want managers arguing for budget to prioritize security, or lawyers arguing for legal stuff, to be able to use this as a compelling example.
Losing $650 million is perhaps not quite as compelling a story as losing billions, or a smoking hole where a company used to be (as in Enron and Arthur Andersen). But it's a pretty big chunk of change. I have no experience making such arguments, but it seems plausible that it will be remembered for a while at Equifax and their competitors, at least?
I'm doubtful that people respond to such incentives rationally. It probably has more to do with how well the storyteller tells the story. And whether the thing they're selling actually works well for improving security seems pretty hit-and-miss, too.