Taxpayers are "on the hook" for this in the same way that taxpayers are "on the hook" if I decide to take an early retirement and support myself by gardening rather than earning $300k a year in a Silicon Valley tech job, and paying income taxes on that, and the same way that society is on the hook because I have stopped producing any meaningful contributions to its well-being.
That is to say, it's a sliiiightly entitled way to look at the matter.
There are rules about what is taxed. If a rule says that something is not taxed is that the same thing as "taxpayers are footing the bill for that thing"?
Let’s say Bob and Sue make up their own society. Both make 100k each and agree to a tax rate of 50% to build roads they will both benefit from.
However Bob gets a 30k tax exemption because his name begins with “B”. Therefore the tax burden on Sue is greater and she’s subsidizing Bob’s road usage (and potentially having crappier roads).
There are legitimate reasons for tax exemptions, but as tax payers we should always be critical of them.
So does a business dropping the ball on security mean everyone else who pays taxes should subsidize their screw up? Maybe… but it seems like a stretch to me and worthy of criticism.
If knowing the business will not incur a cost due to writing off ransom payments as tax deductions, would that become a new strategy for corrupt CEOs to funnel money to themselves? Double dipping at the tax payer's expense?
> And now taxpayers are on the hook for shitty security. Hell why not?
They already are for more conventional crimes. If a business burns to the ground, its loss of assets is a business loss for tax purposes. Even if it doesn't, insurance premiums are a deductible expense, so the government sees its deduction for the amortized fire damage regardless (since insurers recover expenses plus profit via premiums).
The full article covers this. It's not like there's a specific "pay criminals, get a refund" item in the tax code, it's that damages and losses from crimes are treated like any other business expense.
I’d be OK with that if it was unpreventable. I think there needs to be a burden on the business to show they had some level (TBD) of security practices and policies.
I’d prefer if they had to have insurance so the market can determine how much crappy security would cost them.
Trying to enact policy via the second order effects of the tax code is a terrible idea.
If companies should meet a minimum standard of security practices and policies, then this should be legislated. Same as fire codes and OH&S standards.
If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance.
"If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance."
This is what I'm saying. It's a far better solution than subsidizing bad security practices w/ tax. Require insurance and the insurance companies will ensure you have decent security practices (or pay a lot more). If you can't afford it for your business, well then your business can't compete in the market.
Obviously the details matter though. It would be rough at first, but eventually insurance companies would have a vested interest in quality security audits.
That is to say, it's a sliiiightly entitled way to look at the matter.