| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by Majromax 1830 days ago

> And now taxpayers are on the hook for shitty security. Hell why not?

They already are for more conventional crimes. If a business burns to the ground, its loss of assets is a business loss for tax purposes. Even if it doesn't, insurance premiums are a deductible expense, so the government sees its deduction for the amortized fire damage regardless (since insurers recover expenses plus profit via premiums).

The full article covers this. It's not like there's a specific "pay criminals, get a refund" item in the tax code, it's that damages and losses from crimes are treated like any other business expense.

1 comments

rapind 1830 days ago

I’d be OK with that if it was unpreventable. I think there needs to be a burden on the business to show they had some level (TBD) of security practices and policies.

I’d prefer if they had to have insurance so the market can determine how much crappy security would cost them.

We should want to minimize these instances.

link

toomanybeersies 1829 days ago

Trying to enact policy via the second order effects of the tax code is a terrible idea.

If companies should meet a minimum standard of security practices and policies, then this should be legislated. Same as fire codes and OH&S standards.

If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance.

link

rapind 1829 days ago

"If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance."

This is what I'm saying. It's a far better solution than subsidizing bad security practices w/ tax. Require insurance and the insurance companies will ensure you have decent security practices (or pay a lot more). If you can't afford it for your business, well then your business can't compete in the market.

Obviously the details matter though. It would be rough at first, but eventually insurance companies would have a vested interest in quality security audits.

link