This will never, ever, ever stop happening until executives start going bankrupt and/or to jail for negligence. Even then it won’t stop, but it would at least decrease in frequency and severity.
Unless there is willfull negligence (very difficult to prove) or malicious behavior I don't think putting people in jail will help. Most of this stuff happens by accident not by intent.
Financial consequences to the company might be a deterrent, of course then you're dealing with hundreds or thousands of people potentially unemployed because the company was bankrupted by something as simple as a mistake in a firewall somewhere or an employee falling victim to a social engineering trick.
I think the path is along the lines of admitting that cloud, SaaS and other internet-connected information systems cannot be made safe, and dramatically limiting their use.
Or, admitting that a lot of this information should be of no consequence if it is exposed. Imagine a world where knowing my name, SSN, DOB, address, mother's maiden name, and whatever else didn't mean anything.
Imagine using this defence with regards to airline crashes. "The crashes happen by accident not by intent" would be a clearly ludicrous defence, as it ought to be here as well.
If we were serious about preventing these kinds of things from happening, we could.
> Most of this stuff happens by accident not by intent.
Consider the intent of not hiring enough security staff and supporting them appropriately. It looks a lot like an accident. You could even say it causes accidents.
Remove limited liability. Have the stock holder bear full economic cost of the victims without any limit. They want to profit, they take full risk with all of their property.
This can't be done in the modern financial system, I'd recommend holding senior execs and the members of the board responsible instead.
Shareholders may well be based overseas so it'd be very difficult to actually enforce the fines. They might also use overseas limited liability investment corporations, so fines would just bankrupt those companies leaving the actual shareholders never falling below zero.
There's also the political issues that'd come from potentially giving fines to millions of people because their pension funds invested in a company that had a data breach.
Haha, I still vividly remember how they were trying to make me believe that GDPR is going to a big hammer because it will finally make executives liable for breaches. I silently laughed back then. I am still laughing.
I should probably clarify: There are two types of people that climed that back then. Those trying to gaslight us, and those naiv enough to actually believe the gaslighting. Severe negligence has to be proofen, and that is not easy, and there is a lot of wiggle room in court. Executives being liable for what they did during their term is just not coming, sorry kids.
SoftTalker|7 months ago
Financial consequences to the company might be a deterrent, of course then you're dealing with hundreds or thousands of people potentially unemployed because the company was bankrupted by something as simple as a mistake in a firewall somewhere or an employee falling victim to a social engineering trick.
I think the path is along the lines of admitting that cloud, SaaS and other internet-connected information systems cannot be made safe, and dramatically limiting their use.
Or, admitting that a lot of this information should be of no consequence if it is exposed. Imagine a world where knowing my name, SSN, DOB, address, mother's maiden name, and whatever else didn't mean anything.
DanHulton|7 months ago
If we were serious about preventing these kinds of things from happening, we could.
fn-mote|7 months ago
Consider the intent of not hiring enough security staff and supporting them appropriately. It looks a lot like an accident. You could even say it causes accidents.
Ekaros|7 months ago
spacebanana7|7 months ago
Shareholders may well be based overseas so it'd be very difficult to actually enforce the fines. They might also use overseas limited liability investment corporations, so fines would just bankrupt those companies leaving the actual shareholders never falling below zero.
There's also the political issues that'd come from potentially giving fines to millions of people because their pension funds invested in a company that had a data breach.
lynx97|7 months ago
I should probably clarify: There are two types of people that climed that back then. Those trying to gaslight us, and those naiv enough to actually believe the gaslighting. Severe negligence has to be proofen, and that is not easy, and there is a lot of wiggle room in court. Executives being liable for what they did during their term is just not coming, sorry kids.