> You might have more faith in regulatory systems than you should.
I don't. What I do have faith in us companies to have a profit motive and work in favor of self preservation. And that comes with reducing risk for the company.
An example of a local company with bad security practices due to negligence or malice is no evidence of a publicly traded big tech company wanting to do the same.
A local company with bad security practices does not, at its core, make money by collecting user data. The collection of that data and the security or insecurity of its storage is pretty much orthogonal to the central business of every company in the world except for tech companies that sell consumer data.
Hence, the dictum "don't ascribe malice where incompetence would suffice" doesn't carry across these two different classes of organizations.
You may want to look into the histories of equifax, transunion et al. Not local businesses and definitely repeatedly guilty of this flavor of transgression.
This subthread is about, or at least started out when I initially responded as - adtech using ssn as an user identifier. I responded to that. I didn't intend to make any claims about anything else. Equifax is not adtech and is explicitly in the business of collecting ssn and related data.
Equifax is absolutely adtech. Their data is sold used by advertisers all the time. You can make changes to elements of your credit report using techniques widely available on YouTube and watch the spam and junk mail you receive change.
I don't. What I do have faith in us companies to have a profit motive and work in favor of self preservation. And that comes with reducing risk for the company.
An example of a local company with bad security practices due to negligence or malice is no evidence of a publicly traded big tech company wanting to do the same.