It’s frustrating that there are no consequences for companies and organizations that don’t have enough security/know-how/motivation to prevent data theft. Would it make sense to have a law that would penalize leaks and theft?
There are financial consequences for healthcare data leaking (actual monetary fines) and some consequences for payment data leaking (primarily in the form of higher rates) but there's no significant penalties for leaking SSNs. So every adult feels like they get their data leaked on an annual basis and only get free credit monitoring. I think adding penalties for SSNs leaking would help.
Admittedly there are some macro effects that are causing security to be taken more seriously by companies in general. The proliferation of compliance programs especially SOC2 had made basic security the default for a large portion of b2b tech companies. Cyber insurance requirements are increasing. Newer state regulations and SEC regulations have pushed other companies to increase resources dedicated to security.
That said this is an uphill battle after a decade or so of companies having no security with passwords or SSNs in plaintext and everyone having access permissions.
> Would it make sense to have a law that would penalize leaks and theft?
GDPR has such provisions, if the company didn't do enough to protect the data. E.g. British Airways were fined for bad practices and because their website had a card scraper for multiple days which they should have detected.
Admittedly there are some macro effects that are causing security to be taken more seriously by companies in general. The proliferation of compliance programs especially SOC2 had made basic security the default for a large portion of b2b tech companies. Cyber insurance requirements are increasing. Newer state regulations and SEC regulations have pushed other companies to increase resources dedicated to security.
That said this is an uphill battle after a decade or so of companies having no security with passwords or SSNs in plaintext and everyone having access permissions.