Elizabeth Warren Introduces Bill That Could Hold Tech Execs Responsible For Data Breaches (theverge.com) 276
On Wednesday, Sen. Elizabeth Warren (D-MA) introduced a new piece of legislation that would make it easier to criminally charge company executives when Americans' personal data is breached. From a report: The Corporate Executive Accountability Act is yet another push from Warren who has focused much of her presidential campaign on holding corporations and their leaders responsible for both their market dominance and perceived corruption. The bill, if approved, would widen criminal liability of "negligent" executives of corporations (that make more than $1 billion) when they commit crimes, repeatedly break federal laws, or harm a large number of Americans by way of civil rights violations, including their data privacy. "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail," Warren wrote in a Washington Post op-ed published on Wednesday morning. "But when corporate executives at big companies oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts."
How about some actual USEFUL legislation... (Score:5, Insightful)
Roll it up in online and maybe expanded individual privacy rights? The right to be forgotten? Banning shadows accounts (facebook) on people that never even joined your system/applicaiton/social media...?
Now something like that might actually be healthy and helpful to the average US citizen....
Re: (Score:2)
The only way something like that would work is if it comes with a crap ton of regulators to enforce it. Which, I don't consider a bad thing, but in today's political climate of deregulation, do you honestly see that passing?
Re: (Score:2)
Re: (Score:2)
Because bigger government is always the answer...
Well it seems to be an arms race with bigger corporations. What do you suggest? Surrender?
Worthless (Score:3, Informative)
EU did this with their data protection act. The result was that every time you opened Google or any other Google service that a banner popped up telling you to authorize them to do whatever they were doing without your consent to that point. If you didn't confirm, you couldn't use any Google service anymore. Imagine telling that to your boss if work needs to be done...
Re: (Score:3)
Actually no, that would not comply with GDPR and is not what Google does.
Under GDPR it is not allowed to tie provision of services use of personal data that is not essential to providing said services. In other words you can't be forced to agree to non-essential processing just to use Google search.
Google displays a box asking you to review your privacy settings. If you ignore it, they legally can't use your data for non-essential purposes. It has to be opt-in. Eventually they will create a pop-over, but yo
Re: (Score:3)
I believe you haven't read Article 7, section 4 of the GDPR.
https://gdpr-info.eu/art-7-gdp... [gdpr-info.eu]
Privacy is a red herring (Score:4, Interesting)
This isn't a shot at tech companies. She just did that so it's harder to criticize her (after all, the tech companies just love liberals). No, this is a shot at the folks who crashed the economy in 2008. After that working class Americans lost trillions in wealth. That wealth wasn't destroyed, it was pocketed by the rich. It was the single biggest wealth transfer in my life. Maybe in history.
The trouble here is we focus to much on how Facebook knows what color car we like best or our favorite restaurant and not enough on the massive wealth grab that happens every 10 years when corrupt businessmen and politicians crash the economy and then buy up our assets at rock bottom prices while we're laid off.
Re: (Score:2)
Your comments are doubly inactionable. You suggest that the proposed legislation is not useful but you don't say why you think it is not useful. And you don't write up legislation for your congressmembers that would implement what you think is useful. Lobby groups are well known to write legislation for Congress to pass; you should take your ideas and put them into language that can get passed (the legal equivalent of "code or ..." minus the foul language and telling people to not participate in free speech
Re: (Score:2)
Most site do not need it.
Re: (Score:2)
As opposed to everyone and their dog selling your personal information and them denying they have any shadow accounts on you when you don't even do business with them??? Is that really want you want???
No one claimed it would easy, only worth it.
I expect companies that profit from selling personal information to push back, hard, on this as it directly cuts into their bottom line,
Re: (Score:2)
or companies would be forced to keep only what information is required to complete a transaction, then dispose of it once that transaction is completed. yeah marketing would take a hit, but that's probably a net benefit to society.
How would returning something work? The company would no longer have any evidence you purchased it from them.
Re: (Score:2)
Well, this would take a LOT of thought to do as a law, but it could be moderated by allowing info to be kept as gathered, in say..financial transactions, etc...whe
Re: (Score:2)
How would returning something work? The company would no longer have any evidence you purchased it from them.
In the same way we did it before the corporate takeover of the internet. It's called a sales receipt.
Re: (Score:2)
How would returning something work? The company would no longer have any evidence you purchased it from them.
In the same way we did it before the corporate takeover of the internet. It's called a sales receipt.
Which the buyer used to just walk into the store and...hmm..where do they go if it's online only?
About time! (Score:4, Insightful)
Awesome. Somebody needs to be held responsible.
Re: (Score:2)
Yeah, never mind whether the guy held responsible had anything to do with the crime...
Note that most CEO's, while they may be responsible for the decision to gather massive amounts of data, aren't actually writing code, so holding them responsible for bad code is...questionable.
Re: (Score:2)
Yeah, never mind whether the guy held responsible had anything to do with the crime...
Note that most CEO's, while they may be responsible for the decision to gather massive amounts of data, aren't actually writing code, so holding them responsible for bad code is...questionable.
The CEO is responsible to the stockholders. If the company gets rocked a bit by the number one guy going to jail, maybe getting a new boyfriend while there - they might have something to say about it.
Re: (Score:2)
Don't forget
The Second Law of Human Governance
Given a void in governance or a weakness, a corrupt, unjust and authoritarian group without any rule of law, will arise to fill the void
Now I understand that some prefer the East Indian type companies, or the type of company that ruled the Congo in the 19th century and would also prefer warlords but personally, that is not my preference.
Waitaminute (Score:4, Funny)
Re: (Score:2)
You can't treat us like common people!
TFTFY
Pointless (Score:3)
If you really want to make companies care about security and data privacy, make it easier for consumers to sue companies in civil court for these kinds of breaches. Companies care far more about threats to their bottom line, and are going to respond far more quickly to things which threaten it.
Re: (Score:2)
Companies care far more about threats to their bottom line, and are going to respond far more quickly to things which threaten it.
Equifax says "Hi", and would like to remind you that they exist. Also, they made way more money by not paying for decent security than they lost in fines and lawsuits.
Meet the CDBSO! (Score:5, Funny)
Re: (Score:2)
Or, as they called it on "How I Met Your Mother", the
"Provide Legal Exculpation And Sign Everything" (P.L.E.A.S.E.).
Re: (Score:2)
I believe the acronym you're looking for is "PLEASE", "Provide Legal Exculpation And Sign Everything". The relevant TV clip is here:
https://www.youtube.com/watch?... [youtube.com]
shes got my vote (Score:2, Interesting)
it about time someone proposed a bill like this.
Re: (Score:2, Funny)
Or how about not lying about everything. Like the President.
Add the Government to that list (Score:2)
They hold more data on people than anyone on government computers. and they have proven they can be hacked. (OPM, etc.)
They should be required to take just as much care of it than any business. And they should face the same penalties. Maybe even retired Execs on whose watch systems stagnated for 10 or more years.
It'll never fly (Score:3)
All successful legislation has some sort of memorable/cute/catchy acronym. "CEA" just doesn't cut the mustard. Something like the Corporate Responsibility After Pwnage Act would have had a much better shot.
How about the Politician Accountability Act? (Score:3)
How about instead she proposes the "Politian Accountability Act"?
"The Politician Accountability Act is yet another push from Warren who has focused much of her presidential campaign on holding corporations and their leaders responsible for both their market dominance and perceived corruption. The bill, if approved, would widen criminal liability of "negligent" politicians when they commit crimes, repeatedly break federal laws, or harm a large number of Americans by way of civil rights violations, including their data privacy. "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail," Warren wrote in a Washington Post op-ed published on Wednesday morning. "But when politicians oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts."
Sounds a bit like a SARBOX bill but for privacy... (Score:5, Interesting)
English ain't source code (Score:2)
A common problem with laws like this is it's hard to write legal verbiage precisely enough to have teeth yet not be so specific that it leaves work-arounds and loopholes.
If you use generalizations and leave interpretation to judges and juries, they'll confuse it every which way, often depending on the manipulation prowess of the lawyers involved.
It may do nothing but make lawyers rich and everybody else confused.
Blame Shifting (Score:2)
Can't we have someone who ... (Score:2)
Is there any candidate who both isn't corrupt and NOT an obnoxious rabid zealot?
the term 'covered corporation' means a corporation that generates more than $1,000,000,000 in revenue on an annual basis
Why should how much a company makes dictate CRIMINAL liability of executive officers? Why should during an off-year when yearly revenues dip below some magic threshold the same executive officer have less CRIMINAL liability or vis versa? Why should executive officer of a small million dollar company have less CRIMINAL liability for the same exact behavior as a larger company?
Making law that targets people you don't like so s
Re:Can't we have someone who ... (Score:4, Informative)
Why should how much a company makes dictate CRIMINAL liability of executive officers?
Because such a company has sufficient resources to actually fix the security holes identified by their security team.
Also, plain-ol' negligence gets the job done on smaller companies. Larger ones just factor the cost of fines and/or lawsuits into the decision.
Why should during an off-year when yearly revenues dip below some magic threshold the same executive officer have less CRIMINAL liability or vis versa?
Such line-crossing is not all that common. And you have to have some line to differentiate between a Mom-and-Pop and Equifax.
Why should executive officer of a small million dollar company have less CRIMINAL liability for the same exact behavior as a larger company?
The smaller company is usually restrained by the danger of lawsuits - they could actually destroy the business. Executives at larger companies (there's a reason I cited Equifax above) aren't.
Leave it to the lawyers to keep trying to make everyone liable for something even if they had nothing to do with it.
You should probably learn a bit about the concept of Negligence before commenting.
"We got hacked" isn't negligence. "Sir, There's a massive security hole here!", "I don't want to spend the money to fix it" is. The executives are in charge of making such a decision. That's why they get the big bucks.
Nice a law that turns arbitrary uncategorized unspecified civil violations into criminal ones.
Well, the fine executives over at ol' Equifax decided it was cheaper to just keep the security holes in place, and paid a pittance in civil liability.
Re: (Score:2)
Because such a company has sufficient resources to actually fix the security holes identified by their security team.
This is completely absurd on its face. It doesn't take a billion dollars of revenue a year to do this.
The smaller company is usually restrained by the danger of lawsuits - they could actually destroy the business
What is the relationship between effect of lawsuits on company and sending people to jail for CIVIL liability?
You should probably learn a bit about the concept of Negligence before commenting.
Negligence is whatever you can convince a judge and or jury negligence is.
"We got hacked" isn't negligence.
You're a big company you get hacked you get fined and sued no matter what the facts of the situation is. You could be fully compliant with whatever security standards exist and it won't do you a lick of good.
Well, the fine executives over at ol' Equifax decided it was cheaper to just keep the security holes in place, and paid a pittance in civil liability.
Is this suppose
Re:Can't we have someone who ... (Score:4, Insightful)
This is completely absurd on its face. It doesn't take a billion dollars of revenue a year to do this.
So, not familiar with the concept of "revenue" then? 'Cause revenue is not operating budget.
The line is drawn here such that these regulations would only affect very large companies. Because it's those very large companies that are not being reined in by plain-ol' negligence lawsuits.
What is the relationship between effect of lawsuits on company and sending people to jail for CIVIL liability?
The lawsuits are ineffective at getting very large corporations to care.
Let me put it this way: In a lawsuit, you can recover the value of what you lost. Someone destroys your car, you can sue and get the value of your car.
I was affected by the Equifax hack. Legally, the value lost to me in that hack is $0.
I am not a party to any transactions where that data has value (Equifax and it's customers), so I'm not out any money. "Someone may commit credit card fraud in the future" is not a basis for winning a lawsuit. If someone actually did commit credit card fraud, I would have to prove the data came from the Equifax hack and not, say, the Blue Cross hack where my data was also stolen. And that's not possible due to all the middlemen involved in getting that data to the people who actually commit fraud.
At best, I could demand Equifax pay for credit monitoring for some very limited period of time. And since Equifax already provides that service, they are out a very trivial amount of money - it costs them almost nothing to turn on the monitoring software they already have.
Which means civil liability provides exactly zero disincentive to Equifax's executives.
Negligence is whatever you can convince a judge and or jury negligence is.
Nope, it has an actual legal definition.
You're a big company you get hacked you get fined and sued no matter what the facts of the situation is.
And as I demonstrated above, the cost of those fines and lawsuits is negligible, and thus provides no disincentive for being negligent.
Heck, golden parachutes mean there's virtually no incentive for executives to avoid negligence even if fines were astronomical. They'd still make a ton of money before the shit hit the fan, and the shit hitting the fan is zero impediment for getting a new job (Hi Bob Nardeli!)
Re: (Score:2)
Negligence is whatever you can convince a judge and or jury negligence is.
Nope, it has an actual legal definition.
A legal definition whose outcome rests primarily on what a "reasonable person" would do.
So, not familiar with the concept of "revenue" then? 'Cause revenue is not operating budget.
In effect you are making fun of yourself. You were the one who originally asserted a relationship between revenue and operating budget when you said "such a company has sufficient resources to actually fix the security holes"
The point I was making is clear to any reasonable person. You don't need to be making a billion dollars a year to have the resources to "actually fix security holes identified by their security tea
Please (Score:2)
Define "negligent" executives - is it "negligent" to hire a competent staff, but the staff makes a mistake?
Re: (Score:2)
is it "negligent" to hire a competent staff, but the staff makes a mistake?
Nope.
It is negligent to hire a competent staff, have that staff warn you about security issues, and you decide to save money by not fixing them.
The more difficult line to draw is just how incompetent does your staff need to be before it's negligence. But that's what judges and juries are for.
Risk vs Reward (Score:2)
I'm all for this bill to be honest.
This is how the military operates. Take a ship for example.
If you are the Commanding Officer of a ship, then everything about that ship is ultimately your responsibility. Good or bad.
If something stupid happens it's YOUR fault because there is likely something YOU could have done to prevent it.
( Be it better training for your crew, better judgement from your Officers, knowing everything about your ship inside and out, etc. etc. )
You don't get to blame it on a scapegoat.
Re: (Score:2)
If you are the Commanding Officer of a ship, then everything about that ship is ultimately your responsibility. Good or bad.
If something stupid happens it's YOUR fault because there is likely something YOU could have done to prevent it.
( Be it better training for your crew, better judgement from your Officers, knowing everything about your ship inside and out, etc. etc. )
You don't get to blame it on a scapegoat. YOUR command, YOUR responsibility. Period.
Your glory if you get it right, your shame if you don't.
Sounds great. Only problem it's demonstrably false.
Captain Kelly ran the Enterprise a nuclear powered aircraft carrier aground and was promoted a few months later.
Captain Larrobino was not charged when a sailor was having a bad day and panic tossed a lit magnesium flare into a weapons locker nearly destroying a different aircraft carrier while killing 44. After the cause was found (manufacturing defects in flares) everyone who had been slapped on the wrist or court-martialed was cleared.
The risk alone will deter all but the most serious candidates to even apply for the job. Hell, it may even ensure that CEO's take security seriously. ( for once )
The problem with th
Re: (Score:2)
If I had mod points, I would absolutely give you one.
That's a really bad analogy. (Score:3)
But if a bank gets robbed, and the bank's customers' money is stolen, we don't put the bank manager in jail, we put the robber in jail. A corporation that got breached is far more like a robbed bank than it is a pickpocket.
If she wants to change the law to call a corporation that fails to do its due diligence in protecting user data criminally negligent, that's fine. If she wants to take a company that was taking reasonable precautions but got breached anyway, and send the executives to prison for having been robbed, that's absurd.
Re:That makes sense. (Score:5, Insightful)
I don't really know, but maybe the idea is to motivate the execs to stop cock-blocking IT dept's security budget.
Re: (Score:2, Insightful)
Naw, what this proposal would accomplish (if it actually passed and wasn't just a campaign talking point) is to increase the level of executive pay for anyone who might be caught and prosecuted under the law. Less people on the margin who want the job becomes less competition for the job becomes higher compensation for the job to attract the best candidates, the ones with other options. Basic economics, which Warren hasn't ever demonstrated she understands, of course.
Now let's see the laws about holding the
Re: (Score:2)
You're ignoring human nature. Executives would just think they can do the job, won't make stupid mistakes and won't be caught screwing up as they're better.
Re: (Score:2)
Sorry, have you never met a poor criminal before? I guarantee they would jump at the chance to make 150k per year, despite the threat of possible jail.
Re:That makes sense. (Score:5, Insightful)
Do you know what "executive" means? Do you know why they make hundreds of times more money than the average developer? It's because they're supposed to be responsible. Of course you should hold the executive responsible for these breaches. They were the ones in charge.
Re: (Score:2)
PLEASE.
Re:That makes sense. (Score:4, Funny)
That's not what happened here, but you do seem to grasp the correct usage of a red herring, you knob.
Re:That makes sense. (Score:4, Insightful)
Exactly, the rich one who has the power to tell the not rich one "forget about security, just get it done." Next time, maybe think about the topic for 10 literal seconds before posting.
Re: (Score:2)
Yup. And hopefully some protection for the poor geek at the end of the line, who is being told the CxO (or Provost in my case) is PO'd as heck and "just create those 100 instructor accounts with the same default password and tell them what it is to get them started" when the password still works and cant be changed after LDAP credentials are linked/added (after the other part of ITS did their job) ....
What? (Score:2)
Re: (Score:2)
You have to hold the people in charge accountable, not the people who follow orders.
The lesson from Nuremberg is that both have to be held accountable.
Re:That makes sense. (Score:4, Insightful)
It's better to hold the executive responsible rather than the managers or developers who chose poor security practices because s/he's the rich one!
Has nothing to do with money. Has everything to do with who holds the power. Managers? not much. Developers, none. CEO? they want to protect those millions they make.
We've become so weird in this country. The part that is related to money is that with a big paycheck should come big responsibility. Yet we go in the opposite direction, making that big paycheck owner absolved and immune from all guilt.
Re: (Score:2)
If it was up to the security guys 100% of the budget would go to security practices, training, and equipment.
A lack of security is never ever the fault of those implementing them.
Staff, software, and equipment, sure.
Training or certification? Might as well burn the money.
Re:A politician holding someone accountable? (Score:5, Insightful)
So you're telling me a CEO who is sitting on top of a corporation, who is multiple layers of operations removed is to be held responsible for data leaks?
Yes.
What about the people who are supposed to be applying the privacy policies?
what about them? They ultimately take their orders from the CEO.
What about the engineers and technicians?
Fuck you you snivelling little shitstain.
You think the technicians with the low salaries right at the bottom are somehow when the "profits first" CEO is puttng on all the pressure to cut corners etc? Fucking corporate apoligist. Of course you want the little guy to get it in the neck while the big rich man gets off.
Screw you.
There's nothing in it for the CEO if there is a security breach.
Are you simple?
Yes, yes you are.
There's money in it for the CEO to ruthlessly cut expenses to maximise profits.
Re: (Score:2, Insightful)
Wow someone has some real anger issues, and yes I am simple. I like it that way.
This is the reason I posted what I did. This is an emotional response to try and solve a problem. Let's look at this if it was deployed:
1) Company XYZ has a security breach. Data is compromised. Firstly, the CEO is packing his bags at this point (joke)
2) Politicians beat their chests and say how bad it is the data is exposed and this can never happen. Hang the CEO!!
3) The CEO goes to jail, perhaps their family is destroyed
Re:A politician holding someone accountable? (Score:5, Insightful)
Wow someone has some real anger issues,
Not really, I'm just tired of shitheads advocating to fuck over the people with the least power. Congrats, you're one of those shitheads.
3) The CEO goes to jail, perhaps their family is destroyed, etc. That will show them.
Yes, the CEO put profits above user data. That's a crime and he went to prison.
4) Company XYZ still has the same people in charge of security. The ones who were responsible for the security holes still work there.
did the CEO increase security's budget by enough? Nope. So he's the one ultimately at fault.
But by golly, we got that CEO. That will learn them. /em.
Yeah it will. te next slew of CEOs will think "hmm maybe I could make a bit lees money and NOT got to prison. How about that?"
And then fund security properly.
Problem.
solved.
Re: (Score:2)
Ah, just give the security group more money. This doesn't take out the human element of an employee being lazy, reckless, etc. More money just sounds like a government solution, but I will concede this could help.
I hope you're kidding about the putting profits before user data. Of course they do. Are they not in the business of making money, not in the business of protecting data. I'm not saying they are or not, just lets be real... profit. Also, I'm not going to invest in a company if it's #1 priorit
Re: (Score:2, Insightful)
Ah, just give the security group more money.
Yes.
This doesn't take out the human element of an employee being lazy, reckless, etc.
Hire better people. No crunch deadlines etc. You know a good way of hiring better people and having enough to avoid crunches?
More money just sounds like a government solution,
governments successfully run the things that are too hard for companies to run.
Are they not in the business of making money, not in the business of protecting data.
The CEO is personally heavily invested in
Re:A politician holding someone accountable? (Score:4, Informative)
Generally, financial crimes don't involve prison time because there's no physical harm done. The economic harm is pretty easy to eliminate simply by adjusting the economics. i.e. You make the fine for putting profits above user data security so large that no CEO will put (typical) profits above user data. There's no need for prison sentences; that's just malicious victim-blaming because you're unable to find the thief. Remember, the CEO of the company holding your data isn't the one who stole your data - some hacker did. That's the true criminal. At worst, the company inadequately protected your data, or collected data that you may not have particularly wanted them to collect but you agreed to let them do it. Both are problems which are easily solved with economic disincentives. No need for prison.
The dynamic that's going on here is that in property theft, if the company that's holding property has it stolen, they're out the stolen property. That financial loss creates an incentive for them to adequately protect that property in proportion to its value. But in the case of data, the "stolen" data is merely copied by the thieves. The company is not out the data, and their ability to use it in whatever manner they previously were to generate revenue, is unaffected. The lack of that economic loss when they're hacked is what creates the entire problem. So the simplest solution is just adding an economic loss as a disincentive.
If you immediately jump to prison sentences, the only thing you're going to accomplish is making all these companies move their operations overseas, with all their executive officers located outside the U.S., and only keeping operational staff in the U.S. Your data will still be stolen just as it is now, because you didn't want to add an economic disincentive, and the companies found it easier just to move their executive officers out of the country rather than have them face prison time.
Re: (Score:2)
Yeah, but history shows us the mob loves to kill some rich folk, lol.
The next law will be just to prekill the CEO before the breach happens.
Re: (Score:2)
Wow someone has some real anger issues, and yes I am simple. I like it that way.
This is the reason I posted what I did. This is an emotional response to try and solve a problem.
Actually, there is no need for emotion. Just have people have some responsibility.
The concept that the Top person at a company is a relatively new idea. Once upon a time, old Harry Truman noted that "The Buck Stops Here".
Today, it appears that today's version the CEO is alomst immune from any kind of prosecution. No responsibility to anyone at a company, or to the nation. Their only responsibility is to the stockholders, and not the law. You have to be exceptionally corrupt, like Elizabeth Holmes of
Re: A politician holding someone accountable? (Score:2)
So the CEO assumes responsibility for every decision a company makes? Wow, that's a big responsibility, I mean, that means everyone that works at the company avoids responsibility for any problems, because ultimately the CEO is responsible. Heck, if I was going to take on everyone's redponsibilities I'd think I deserve 50-100x the average employee's wages.
Re: (Score:2)
Sort of like how the military is happy to fire a base commander [foxnews.com] after a serious fuckup. The commander might not have done the fuckup himself, but he was in charge of those who were, so his career is effectively ended.
Re: (Score:3)
Is this about breaches or fraud? If breaches, sure, any large retail company will be subject to breaches. But fraud? Start with the big banks that foreclose on houses that aren't theirs, open unrequested accounts, or launder money for drug dealers. The first two at least meet that category.
Re: (Score:2)
I fully back this IF the politicians, like Elizabeth Warren, can also go to jail for their failures. I'm sure she will agree to this......
You should be. For example she's introduced a bill that could put her in jail if she owned any individual stocks (along with all the other Senators, Congressmen, and much of the White House.)
Maybe RTFB? It probably says what it considers "negligence".
Re: (Score:3)
Yes, the CEO is responsible.
That does not mean that all CEO's are cheats.
But, a company that is expected to abide the law and whatever model of decency and good citizenship is expected, it is the CEO who oversees all that the company does to be in compliance.
CEO's can err by acts of commission, the evildoers.
They can err by acts of omission, failing to keep the company in line even if it was all an honest mistake or oversight.
The CEO is responsible for what the company does, just like the captain of ship.
If
Re: (Score:3)
The CEO is responsible for what the company does, just like the captain of ship.
Nice tagline, what does it actually mean? Every Captain says they are responsible for their ship.
If a boat captain runs his ship aground, the Navy doesn't say,"gee, we know you didn't mean to run over the beach and boardwalk, so we'll let bygones be bygones." That is what responsibility is about.
Captain Kelly ran the Enterprise a nuclear powered aircraft carrier aground and was promoted a few months later.
Captain Larrobino was not charged when a sailor was having a bad day and panic tossed a lit magnesium flare into a weapons locker nearly destroying a different aircraft carrier while killing 44. After the cause was found (manufacturing defects in flares) everyone who had been court-martialed was clea
Re: (Score:2)
how will this be workable? So you're telling me a CEO who is sitting on top of a corporation, who is multiple layers of operations removed is to be held responsible for data leaks?
YES, the CEO can always CHOOSE to have his company NOT STORE such data in the first place, and the CEO can always CHOOSE to spend more on data security.
Data leaks could happen only because the CEO chose to store such data AND did spend enough on data security.
Re: (Score:2)
Like what. What do you mean by "failure" in the context of an elected senator. You talking something reality-based like not engaging in insider trading, or libertarian derp like "failing" to single-handedly end deficit spending?
Re: (Score:2)
Re: (Score:2)
Not quite. Otherwise there wouldn't be laws regarding the safe secure storage of firearms, laws requiring immediate report of theft of firearms, etc.
Not that most of us gun owners wouldn't do all of that anyway... but you know... gotta pass laws.
Re:Do we charge homeowners for being burgled? (Score:5, Informative)
A closer analogy would be if someone broke into Public Storage and my stuff got stolen. If it could be proven that Public Storage was negligent (didn't spend money on increased security, even after being warned thieves where in the area), then yes, they should be charged with breach of conduct.
This analogy is closer, but still not all the way there, because we're dealing with a Public Storage that's somehow storing my stuff even when we don't sign up for it.
Re: (Score:2)
No, we don't charge homeowners from being burgled. But of course, that's an analogy so flawed only some kind of corporate-owned troll would even raise it.
Re: Cute (Score:5, Informative)
She passed the bar in 1976. That was before many people on here was born. She has taught at several universities including the University of Pennsylvania Law School as a full professor and Harvard Law School.
You may not agree with her politics, but you are being dishonest to call her incompetent.
Re: (Score:3, Insightful)
In this area she is "incompetent" here expertise is in law and finance, she knows nothing about technology. She is right about executives and making them culpable and there are all kinds of areas to do that but without evidence of negligence this isn't one of them.
It is impossible to completely prevent a data breach and coming as close to it as you can would make it impossible for a company to actually operate. Including, perhaps especially, the rest of the technology pieces. Many companies are dangerously
Re: (Score:2)
Well said. Where we are at as a society/culture and level of tech makes this bill kinda stupid. I agree that there has to be some incentive to keeping data you control safe, but doing so will break most of what the average person has come to expect. People want their cheap goods to buy, their free social networks, etc. If you raise the bar on security then these things that people want will either have to go away, change radically, or start costing money.
If you take the average facebook user and ask the
Re: Cute (Score:5, Informative)
If you read the proposed law (https://www.warren.senate.gov/imo/media/doc/2019.4.2%20Corporate%20Executive%20Accountability%20Act%20Text.pdf) it "establish criminal liability for negligent executive officers of major corporations" who "has the responsibility and authority to take necessary measures to
prevent or remedy violations."
So, if a corp has been found to be negligent in its handling of data, they aren't just fined, but the executives responsible can be sent to prison. She isn't an IT security expert. Neither are those executives. Still, there are industry standards. We would hold executives who manage our water supply responsible if it were sub-standard and they failed to correct the situation.
Re: (Score:2)
And I do agree, "It is impossible to completely prevent a data breach". Its like trying to prevent a burglary or an assault. You can make it more difficult, but you can't stop it 100%. Multiple US Presidents have been shot, and they have arguably the best security money can buy. That said, if the President was assassinated and the Secret Service were found to be negligent, heads would roll.
Re: (Score:2)
And I do agree, "It is impossible to completely prevent a data breach". Its like trying to prevent a burglary or an assault. You can make it more difficult, but you can't stop it 100%.
Yup, and we tend to make perfect the enemy of good.
Re: Cute (Score:5, Insightful)
If you read the proposed law (https://www.warren.senate.gov/imo/media/doc/2019.4.2%20Corporate%20Executive%20Accountability%20Act%20Text.pdf) it "establish criminal liability for negligent executive officers of major corporations" who "has the responsibility and authority to take necessary measures to prevent or remedy violations."
So, if a corp has been found to be negligent in its handling of data, they aren't just fined, but the executives responsible can be sent to prison. She isn't an IT security expert. Neither are those executives. Still, there are industry standards. We would hold executives who manage our water supply responsible if it were sub-standard and they failed to correct the situation.
One of the best peices of advice I ever got was that if you want to fix a problem, you make it the problem of the person who can fix it.
Right now, there really is no actual punishment. People go tsk, tsk, a janitor gets fired, and it's onto where the stockholder's meeting is going to be held discussions.
If the guy at the top is looking at some serious punishment, he or she will make certain that data security is taken seriously.
Most all of these breaches have been over seriously simple stuff that never should have happened.
Re: Cute (Score:5, Insightful)
As a victim of identity theft, I can personally attest that the credit agencies don't just view this as "not their problem", but actively see it as the victim's problem. When my identity was stolen, a credit card was opened in my name and only a stroke of luck made the card go to me. (The card was mailed out before the identity thief's address change was processed.) When I called the company (*cough*Capital One*cough*) about it, they not only told me they couldn't give me information ("because if you go and shoot these people, we're liable" - but you're not liable for opening accounts under my name?!!). They insisted that my wife likely opened the account - when my wife was right next to me freaking out over this. Finally, they refused to let the police speak with them. They told the police that they needed to call a special line. That line went right to voicemail and it was never answered. I've heard of other times where credit agencies like Experian harassed identity theft victims, telling them that the fraudulent accounts would remain on their credit report unless the victims produced massive amounts of proof.
Basically, these companies treat identity theft and data leaks as minor annoyances. Close the account if someone complains, write off the tiny losses, push the burden of proof onto the victims, and then go back to raking in tons of money. If any actual laws are going to be put in place to protect consumers, fight those laws tooth and nail. They never suffer any actual consequences - just look at Experian's data breach. Millions of people's personal information leaked and what penalties has Experian suffered? They settled a $22 million class action lawsuit, but they earned $5.2 billion last year. I don't think 0.4% of their income really hurts them much. If I was fined $300, it might sting slightly, but it wouldn't really hurt. Especially not if what I was fined for made me that much in 1.5 days.
There need to be actual consequences or things aren't going to get better.
Re: (Score:2)
"So, if a corp has been found to be negligent in its handling of data, they aren't just fined, but the executives responsible can be sent to prison."
A sufficient amount of scrutiny will always find them negligent. It is impossible to operate without "negligence" when it comes to security. The fact is that most of the best practices exist for a reason, in practice do little to reduce risk, and dramatically hamper operations. The more strict you are in enforcing best practices the more negligent people will s
Re: (Score:2)
Poe's Law can be annoying sometimes.
The law doesn't just apply to tech firms silly (Score:5, Insightful)
The reason she's focused on tech firms is that the media narrative is that the tech firms and the Democrats are in cahoots, so that anything she proposes to regulate to general businesses would be framed in that narrative ("why are you going after such and such and leaving Silicon Valley alone Ms Warren, hmmmm?"). This is a smart political move to defang one of the chief distracting narratives that would normally be used against her. It hurts the bill a little bit with techy nerds, but we're a tiny, tiny minority, and a lot of us (like me) see what she's doing there.
Re: (Score:2)
Your post reads as "welp, massive data breaches are inevitable!"
I am glad i don't work for any company you work for!
Punishing executives *finally* would reign in these corporations. It sends a message; get your shit together or get out of the fucking game.
It's about due diligence, not impossibility (Score:2)
Good thing that's a straw man, then. If your network is attacked by a zero-day exploit, particularly one done by a state intelligence agency, then there's not much you could have done and thus you wont face prison time. You host critical customer data on an unpatched Windows 2008 Server machine that's open to the internet? You're going to jail.
Re: (Score:2)
Re: (Score:2)
Yeah but you aren't following the tree. The COO knows nothing about it. The problem with holding someone accountable for doing everything they could is you are looking through a 20/20 lens of hindsight which never matches reality.
This is a set of books that no amount of accountability and budget can resolve. To people who aren't involved it sounds we in security are saying "oh we can't make it perfect so why bother" or the ever popular "its about raising the effort required to get in". But it isn't that. If
Re: (Score:2)
In this case someone will always have some firedoors chained shut somewhere. If they didn't they wouldn't be able to do their jobs. There is no way to both follow all the best practices and operate in even close to a reasonable efficient way. There are things an exec could do to help if they legitimately understood that but it wouldn't eat into profits it would eliminate it and only reduce not eliminate the problem.
Opinion with no underlying understanding? (Score:2)
Re: Cute (Score:5, Insightful)
She LIED about her heritage to take advantage of affirmative action laws. Should be disqualifying for being president or Senator right there. It disqualifies her from every making any moral argument against me or what I do.
You are saying lying should disqualify someone for being president or senator? Really? Is that what you are saying?
If so, you'd best address the gigantic orange elephant in the room.
Re: (Score:3, Insightful)
You are saying lying should disqualify someone for being president or senator? Really? Is that what you are saying?
If so, you'd best address the gigantic orange elephant in the room.
This is the nature of the right these days. They are the party of morals, for other people... Trump is going to be at false or misleading claim 10000 fairly soon here, and they don't bat an eye, they just make up some story about how heaven works in mysterious ways and he is the chosen one to fulfill those ways.
Ain't it convenient when you can just:
1. Start with a goal.
2. Support any actions taken to reach that goal as some convoluted will of god thing.
Really, if you have to apply, but its okay because, it
Re: (Score:2)
And here we see how a serial rapist like Bill Clinton became president and they cover for him to this day. The DNC also supports KKK members like Northam without shame.
They also propose legalizing killing live babies and then tell you that you have no right to fly on an airplane.
This is the DNC today, infanticide while making you a criminal for eating steak. Congratulations on your moral superiority.
The medical term is called a fetus. Its not an infant until it is born, which coincidentally is exactly when "moral" conservatives such as yourself quit giving a shit and refuse to pay for any assistance.
Re: Cute (Score:5, Funny)
Re: (Score:3)
2. Using the word "Pocohantas" is, indeed racist.
3. The free market is not the guiding principle of our entire society. We need regulation. the free market isn't a cure-all.
4. Yes, company leaders do need to be exposed to personal liability. If not, then who is held accountable for a crime by a large company? The millions of stockholders? Should we arrest everybody who owns a share of stock of a company when that com