[201984]

I'll bite. Why is it the fault of the organization that gets broken into, rather than the fault of the attackers breaking into it? Even if the defender takes every reasonable defensive measure, they could still get pwned from some zero day that they had no defense against. Should they be fined into oblivion for something like that?

[ndsipa_pomu]

The question is whether the defender takes reasonable defensive measures or not.

The problem is that without having some kind of enforcement, businesses will decide that it is cheaper to not worry at all about security and thus their customers will have their data leaked/shared etc.

There's a world of difference between a company that puts effort into security and one that doesn't.

[mapt]

What is my incentive, as a shareholder in a medical company, to demand functional, bulletproof security, and to hold on to no more data than I need, and to encrypt everything? I'm never going to suffer as a result of breaches. Nor are any of my staff. so long as evidence doesn't show that they did it deliberately.

A cryptocurrency business or a diamond business, by contrast, has very strict security protocols, because if they don't, all the value gets wiped out very quickly. The rules basically absolve the healthcare company of fiscal responsibility.

This update OP is posting about may require jumping through certain hoops, but it does not require functionality of those measures.