You cant just give Jail-time for data breeches. It would encourage cover ups and scape goats. Also never underestimate just how disorganised large organisations are, incompetence at addressing issues is systemic and goes far beyond data protection. What seems like malice is sometimes just plain stupidity.
It has to be backed by some sort of regulatory framework. Just like a fire code or employment rights. But crafted in a way that it doesnt end up like PCI, ratings agencies or financial auditors. IE creating an industry that sells compliance and not actual security.
Perhaps something light, like mandetory minimum bug-bounty schemes for all companies, where fines (or more) are imposed for not addressing issues and an independant regulator works with larger companies to resolve issues (or penalise the company severely if they deliberately wont).
The reasonable company director should have known X and when found out was bound to report it. Person Y did not report it, should have known as it was their job to know and there aren't extenuating circumstances. Guilty. 6 months. Next case.
"I don't know anything about this company I accept 7 figure sums to oversee as a director." Should never be any kind of legal defence. If senior management and directors have something personally at risk you'll see vastly improved behavior. Right now we're selecting for the opposite and seeing the inevitable results.
There is a story like this about directors and management cover ups everysingleday
So person Y read an email late at night and forgot about it. So you send a director to jail. Tomorrow many of the "good" directors feel scared and they simply do not accept any new appointments.
Who will fill the void ? People who are overconfident and people who are not scared of going to jail.
It's much better to impose financial penalties. Should the directors or the shareholders pay ? Let them figure it out between themselves!
Doesn't PCI work well in general? It has a large amount of overhead but we see very few credit card breaches from within the "PCI vault," while we see many Social Security number breaches and email/password combinations.
For example, the Target credit card breach occurred because malware intercepted the credit card information at the Point of Sale appliances before the information was encrypted and transmitted.
Prison time seems extreme, but Congress should should absolutely establish statutory fines (for companies) for breaches of PII. Then any company officer can save the company money by simply spending more on prevention because it will lower breach insurance premiums.
You cant just give Jail-time for data breeches. It would encourage cover ups and scape goats.
WEll that's already happening without jail time so maybe give it a whirl. LEt's get real here, the idea of suits going to jail is just scary to some people but it'll be fine.
You cant just give Jail-time for data breeches. It would encourage cover ups and scape goats. Also never underestimate just how disorganised large organisations are, incompetence at addressing issues is systemic and goes far beyond data protection. What seems like malice is sometimes just plain stupidity.
It has to be backed by some sort of regulatory framework. Just like a fire code or employment rights. But crafted in a way that it doesnt end up like PCI, ratings agencies or financial auditors. IE creating an industry that sells compliance and not actual security.
Perhaps something light, like mandetory minimum bug-bounty schemes for all companies, where fines (or more) are imposed for not addressing issues and an independant regulator works with larger companies to resolve issues (or penalise the company severely if they deliberately wont).