This data breach nonsense with slaps on the wrist is very easy to fix. Just have the government assign a dollar value to each piece of private information and allow for class action lawsuits for data breaches.
I have been saying that companies that wish to collect and store private data should be forced to buy "data insurance" for this purpose and to incentive only storing necessary information
But it wouldn't be a reward. It'd be a fine paid to the government. The only real reason with malicious intent I can see from it is people intentionally hacking companies to bankrupt them or cripple them. But that just means they had weak security anyways
The OP was talking about class action lawsuits. The plaintiffs in class actions are individuals, not governments. I took that the mean the OP was talking about penalties to private actors, rather than to governments.
Also, increasing their security team by 1 engineer would have cost them more than $1M (assuming a salary of $100K). So from a pure economic standpoint it makes more sense for them to keep paying fines in future breaches.
every year I see numbers going up in discussions here, with a recent claim that a netflix engineer cost was $430k (salary + overhead). sr engineers at netflix on glassdoor were touching $200k - the "cost" (wild-ass guess on part of the poster) seems a bit out of whack, and I was negatively exaggerating for effect.
But also I originally thought this was damages for a long-running practice - it wasn't. A 2013 data breach, from the article.
NC is getting a whopping $70k from this - likely many multiples of that eaten up in time/money and opportunity costs. I've seen a bit of "yay, there's precedent for paying a fine for this sort of thing" but this fine just put a price on this sort of activity. Data breach affecting someone in NC? You'll face a fine of $1.50 per account. :/
I am not aware of other firms that were fined by the government for their negligence w.r.t to a breach. I would applaud the NC AG for pursuing this. Despite the small amount, it sets a precedent. The second time Adobe fails, I presume their fine will ratchet up. Remember, they were using DES ECB for their passwords
The extraterritorial EU General Data Protection Regulation (GDPR) sets fines of up to 4% of global annual revenue for companies not sufficiently protecting the personal data of EU citizens from May 2018 and onwards (with a cap of 20 million EUR).
The requirements for compliance are absolutely non-trivial, so I suggest that startups (and older companies) start designing compliance and privacy into their business processes and systems already today.
Do they have a feed into security yet? At the time I reported the release of all the emails and I couldn't get past first line support. They kept telling me that spam wasn't their problem.
For example
Social security number $5000
Credit card number $1000
Address $500
Telephone $200
Email $100