[acollins1331]

Oh come on, do you think these companies are doing everything to protect our data? Why the hell is our credit card applications hosted online anywhere after they've been processed anyway? And for 14 years?

No mate, making it doubly illegal (such as actually fining and imprisoning the negligence in leadership that chooses forgiveness over permission) would undoubtedly help. There are plenty of ways to keep our data secure and they didn't do enough.

[mc32]

They probably have approved vendors for their data and SOPs in their DCA and it had information on how to configure it for the cloud and there are signatures and so on. But, it’s unclear whether they took into account rouge internal threats.

Be this on S3 or on your private assets, without proper controls for internal threats these things have a likelihood to happen.

[giancarlostoro]

After 14 days it should be encrypted independent of any AWS encryption as someone mentioned in the other Capital One thread and the key should not be stored on a S3 container or some obvious service that can be easily compromised.

Keeping all your eggs in one basket (the cloud) is never a good idea. If you have to do it try and give yourself as much control over sensitive data via encryption of no longer to be accessed data.

[Merrill]

More practical would be the removal of the Board of Directors and the CEO of the corporation, with the forfeiture of any unpaid future compensation and the ineligibility to serve as a director or officer of any other corporation. They are responsible for setting the policies and providing the resources to secure the corporation's data, and they have failed.

[cameronbrown]

This line of thinking doesn't work. I want to agree with you, but I can't. An executive could do all the right things by promoting and pushing for security in their organisation and still be hacked. Should he/she face jail now?

[chewmieser]

The OP called out "negligence," which would leave some wiggle room for the executive in your scenario. Promoting and spending directly on security would be proof that you're at least making a conscientious effort.

[sgjohnson]

Problem is, executives don't understand those things. Of course it's very simple to point a finger at them, but they rarely are tech savvy, and they are there to run the company, not micromanage every decision every department makes.

[okmokmz]

Hiring people that don't know what they're doing isn't a reasonable excuse, such as Susan Mauldin, the ex-CSO of Equifax with a bachelor in music and no technical or security related education/training

[lazylizard]

Then they had better start hiring replacements soon..

[acollins1331]

I'm fine for a judge and jury to decide what is and isn't actually criminal conduct and whether the EO was negligent in protecting customer data. It needs to be explicitly illegal first, though.

[HNisCurated]

Utopia solutions aren't really helpful for ideas.

It's great if companies had unlimited resources to spend on security, and didn't screw their customers with fees.

Let me remind you, even Apple had their phone hacked. More laws won't make mistakes go away.

[Nasrudith]

It doesn't take unlimited resources to destroy sensitive transient information past its time. The opposite really.

[HNisCurated]

I am not sure this complies with KYC laws.