Hacker News new | ask | show | jobs
by luesterklemme 2202 days ago
Because a lot of people just get this whole thing wrong. This whole discussion got poisoned by fear mongering and not understanding of the actual rules. Yes you can be liable to a huge amount but you will be only be hit by that if you are either working with malicious intend or objectively don't give a shit about data security and privacy of your users.

There is no such thing as "estimated fine amount" to base you ransom on. It depends on how important the company treated its security and how obvious the data leak is.
1 comments
p0llard 2202 days ago
> It depends on how important the company treated its security and how obvious the data leak is.

Indeed. Which allows an attacker who is familiar with previous regulatory action to estimate the fine based on the specific circumstances involved in their attack.

link
luesterklemme 2202 days ago
Different sector, different country, different regulatory body, different regulator. Maybe the fines are comparable but I have my doubts that this could ever be a viable strategy.

But in any case that is not the problem of the regulations.

link
p0llard 2202 days ago
I'm not convinced by this; if a company was approached by an attacker who threatened to

a) Release stolen data;

b) Anonymously supply the regulator with full details of the leak

unless a ransom was paid, I imagine that the threat of an audit and potential regulatory action would be enough to persuade the company to pay the ransom if it believed the cost of the ransom to be lower than the cost of an investigation by the regulator.

link
luesterklemme 2202 days ago
The incentive of the GDPR is for the companies to place inherent value in their data safety. So either the companies can pay and not invest in future safety to come out cheaper in the short run with the added risk of future attacks. Or they could cooperate, proactively reach out to regulators with a plan to improve and pay the fine.
link
opus132 2202 days ago
Yes, they could.

Or they could pay the ransom, which they deem to be less expensive than dealing with the regulator, and improve their data security to ensure they don't get caught out again.

I fully understand (and support) the reasoning behind GDPR; I just think that in this case there is a path which is easily open to abuse by attackers.

link