should companies be held accountable of dara breaches?
Each time I read tech reports about data breaches, I remain astonished by the level of total incompetence of those companies that have been hacked. Most of the cases is security 101. Their PR is rvrn worse, preaching that user’s data security is paramount to them, when clearly it isn’t. The few times the government prosecuted them, it ended up with a joke....few pennies. Meanwhile our personsl data is shared everywhere. To change this trend we should have stiff penalties, and very personsl ones. Like board, CEO and all executives getting 0 reward for 1 year and paycut to 50%.
Absolutely not
Sure, make them liable for $1,000/user, or actual damages, whichever is greater, payable to the user. Companies can then appropriately price security.
In the EU, it's €10-20k per user. And non EU citizens can still sue under the GDPR if the entity has an EU presence...
Who is Dara
Under the EU's GDPR, people aware of data violations who didn't tell their DPO about it are personally liable for up to €20m in fines. It's gonna get interesting.
You are so naive... somebody, somewhere, on every company on the planet is being careless and incompetent. Go to any security conference anywhere... lesson 101, everyone in the US’s data is already breached.. all you can do is protect the transactions against that data.
Cybersecurity breaches aren't a technology problem they're a people problem. That's why it will always continue to happen. Employees don't follow good cybersecurity practices, they can taken advantage of, and an outsider gets access into a system. As long as employees can communicate with the outside world, breaches will continue to happen. Companies do all they can to train employees for these instances, but nobody actually listens lol. So on one hand, they should be held responsible because damages occurred on their watch, but also, what can they really do?
Do you remember Equifax case? The VP of security was major in music. Most of data breaches happen because of mis-configured software (weak defaults, silly or no password, etc), dumb decisions (user data in clear, including passwords) and moron developers (how can SQL injection be still a thing?). Why companies handling user data are not forced to have a certified security manager? One person responsible for security with credentials, and not someone that can play guitar.
They should be held accountable according to the terms and conditions agreed to by their users.
No they shouldn't.
Feeling guilty?