Hacker News new | ask | show | jobs
by rcoveson 44 days ago
I don't think that criminal negligence is the most helpful legal tool for incentivizing improved security. It's too hard to prove negligence.

Instead, there should be standard civil penalties for leaking various degrees of PII paid as restitution to the affected individual. Importantly, this must be applied REGARDLESS of "certification" or whether any security practices were "incorrect" or "insufficient". Even if there's a zero-day exploit and you did everything right, you pay. That's the cost of storing people's secrets.

This would make operating services whose whole "thing" is storing a bunch of information about individuals (like Canvas) much more expensive. Good! It's far to cheap to stockpile a ticking time bomb of private info and then walk away paying no damages just because you complied with some out-of-date list of rules or got the stamp of approval from a certification org that's incentivized to give out stamps of approval.
4 comments
jedbrown 44 days ago
And this strict liability will come with an expectation of insurance. The insurance policies will necessitate audits, which will actually improve security.
link
walletdrainer 44 days ago
I feel like there’s a tendency here to seriously overestimate how damaging these leaks are to individuals.

For most individuals impacted by these hacks, appropriate restitution would be $0. Anything more than that would go beyond making them whole.

link
Kiro 44 days ago
It's not a popular opinion but I agree. I live in a country that has a very extensive principle of public records, and often times these leaks disclose much less than you would get by simply calling the authorities and ask. Now, whether that's good or bad is a different story.
link
paulddraper 43 days ago
We use to hand out whole books of this information to as many people as possible. (phone books)
link
Neikius 43 days ago
Leaking school or medical record can have serious personal consequences that cannot even be enumerated
link
crazygringo 43 days ago
It can, but not for most people. For most people leaking that stuff would still have damages of zero dollars.

Which is what the comment above was referring to. "Most people". Not "all people".

link
Avicebron 44 days ago
The only right answer.
link
anonzzzies 44 days ago
Let's do this.
link