upvote

points

by awesan12 hours ago |
comments
upvoteby parable11 hours ago|
next
[-]
I'd also add a third issue to this list: data retention. Too many companies I've dealt with have privacy policies that state something to the tune of "we'll hold onto your data for as long as required" without giving much of an explanation as to how long "as required" is.
reply
upvoteby orrito10 hours ago|
parent|
[-]
Which usually means until the financial incentives to remove the data outweigh the incentives to keep the data. Data is more valuable than database storage costs, thus there is no incentive to remove the data. Policies should therefore be in place to punish unnecesary data retention.
reply
upvoteby chias11 hours ago|
prev|
next
[-]
There is a vast difference between it not being 100% impossible and data holders not doing the absolute basics to keep it safe.

I could imagine if, after a data breach, there was a government-run cyber investigative task force that would come into an organization, and be tasked with investigating and fully understanding the nature of the breach. We already have forensic detectives for other crimes, why not this one?

And if it turns out that the failure occurred due to the company acting negligently, a la (whoopsie all the records were in an open S3 bucket) then humans would be found personally liable.

--

But in principle, i also agree with the other causes you list. These are very much what GDPR was aimed at improving. It really is a shame when you look at what GDPR could have accomplished if not for malicious compliance by American tech giants, and shitty enforcement (instigated by American tech giants)

reply
upvoteby cdirkx11 hours ago|
parent|
[-]
It doesn't even need to be government-run, we just need the right incentives. I've seen proposals for making some kind of data loss insurance mandatory to compensate victims. The insurance companies would then conduct audits which determine the premiums for the company, and investigate for negligence after a breach.

Edit: Thinking more about it, this would probably also be positive for security investigators. If a company is stonewalling you and ignoring a legitimate bug report, you now have the option to escalate this to the insurer. Maybe they could even facilitate bug bounty programs for smaller companies

reply
upvoteby parable10 hours ago|
parent|
[-]
I've had a similar thought in the past. I was thinking about the feasibility of a law being introduced where each company making over a certain amount of money per year must begin a VDP (and optionally a BBP) so that security flaws can be reported to them easily. This can easily be done by simply opening up security@companydomain and using security.txt (https://securitytxt.org). Reports must receive a response in N days, where N is calculated based on available staff, resource allocation, and revenue of the company. If they don't receive a response after N days, this can be escalated to some government agency which can take action against the company for failing to respond to a report on time.
reply
upvoteby walletdrainer8 hours ago|
parent|
[-]
If something like this had been implemented 20 years ago, we'd probably be exactly where we are now. What's the point?
reply
upvoteby richardwhiuk11 hours ago|
prev|
[-]
Small businesses are equally vulnerable, and it's possibly to perform cyber attacks at scale - Gen AI makes this easier
reply