Elizabeth Warren Introduces Bill That Could Hold Tech Execs Responsible For Data Breaches

On Wednesday, Sen. Elizabeth Warren (D-MA) introduced a new piece of legislation that would make it easier to criminally charge company executives when Americans' personal data is breached. From a report: The Corporate Executive Accountability Act is yet another push from Warren who has focused much of her presidential campaign on holding corporations and their leaders responsible for both their market dominance and perceived corruption. The bill, if approved, would widen criminal liability of "negligent" executives of corporations (that make more than $1 billion) when they commit crimes, repeatedly break federal laws, or harm a large number of Americans by way of civil rights violations, including their data privacy. "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail," Warren wrote in a Washington Post op-ed published on Wednesday morning. "But when corporate executives at big companies oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts."

Cute

[OffTheLip]

not the girl but the bill. It's money right? Warren is not going to turn down money, possibly this source, but she's a survivor.

Re: Cute

[MooseTick]

She passed the bar in 1976. That was before many people on here was born. She has taught at several universities including the University of Pennsylvania Law School as a full professor and Harvard Law School.

You may not agree with her politics, but you are being dishonest to call her incompetent.

Re: Cute

I take it back. I look forward to a demonstration during an upcoming fireside chat

Re: Cute

[Shaitan]

In this area she is "incompetent" here expertise is in law and finance, she knows nothing about technology. She is right about executives and making them culpable and there are all kinds of areas to do that but without evidence of negligence this isn't one of them.

It is impossible to completely prevent a data breach and coming as close to it as you can would make it impossible for a company to actually operate. Including, perhaps especially, the rest of the technology pieces. Many companies are dangerously close to the breaking point as it is.

There is only one solution to the problem, back off your technology massively and rebuild your structure from the ground up with an eye on optimizing the places it makes the most sense with technology. Stay away from technologies that make tech resources cheaper, your tech resources will be the ones who want them because they make their jobs easier. Just hire more tech people instead, they won't all need to be top dollar top end resources. Just hire a couple of those guys and lots of high school grads to train on the job. Minimize code, intelligent, dynamic, programmable, anywhere and everywhere you can and absolutely minimize in house code. Where you do need it make it open source.

Every piece of tech in your organization adds linearly to the overall attack surface of your organization. Every layer of house developed code (or configuration flexible enough it might as well be a script or code) easily adds an order of magnitude. There are some things you can do to protect that attack surface but remember they add at minimum linear attack surface of their own and the more dynamic and flexible they are the more they add. Intelligent systems are even worse because they don't follow the predictable and secure patterns your work force follow. For the most part solutions to "protect" you are snake oil.

And whatever you do, for the love of all that is holy stay the fuck off the cloud, devops, and if you can't avoid hiring any devs at all don't even let them use any library less than 7yrs old or anything the actual admins say is a bad plan and don't deploy their code until it has been tested in dev and staging for at least 6 months and then phase in per admin and security requirements.

Re: Cute

[cdsparrow]

Well said. Where we are at as a society/culture and level of tech makes this bill kinda stupid. I agree that there has to be some incentive to keeping data you control safe, but doing so will break most of what the average person has come to expect. People want their cheap goods to buy, their free social networks, etc. If you raise the bar on security then these things that people want will either have to go away, change radically, or start costing money.

If you take the average facebook user and ask them if they want their privacy, they will say yes. If you tell them that will mean a monthly subscription, they would rather it be unsafe. If you tell them that things won't share as easily, they will want it unsafe, etc, etc, etc.

Re: Cute

You would be surprised at how easy it is to become a professor when you are from a wealthy, well-connected family.

Re: Cute

[Mark+of+the+North]

She LIED about her heritage to take advantage of affirmative action laws. Should be disqualifying for being president or Senator right there. It disqualifies her from every making any moral argument against me or what I do.

You are saying lying should disqualify someone for being president or senator? Really? Is that what you are saying?

If so, you'd best address the gigantic orange elephant in the room.

Re: Cute

[MooseTick]

If you read the proposed law (https://www.warren.senate.gov/imo/media/doc/2019.4.2%20Corporate%20Executive%20Accountability%20Act%20Text.pdf) it "establish criminal liability for negligent executive officers of major corporations" who "has the responsibility and authority to take necessary measures to
prevent or remedy violations."

So, if a corp has been found to be negligent in its handling of data, they aren't just fined, but the executives responsible can be sent to prison. She isn't an IT security expert. Neither are those executives. Still, there are industry standards. We would hold executives who manage our water supply responsible if it were sub-standard and they failed to correct the situation.

Re: Cute

[MooseTick]

And I do agree, "It is impossible to completely prevent a data breach". Its like trying to prevent a burglary or an assault. You can make it more difficult, but you can't stop it 100%. Multiple US Presidents have been shot, and they have arguably the best security money can buy. That said, if the President was assassinated and the Secret Service were found to be negligent, heads would roll.

Re: Cute

I have enough room in my political position to dislike both Trump and Warren.

Re: Cute

You are saying lying should disqualify someone for being president or senator? Really? Is that what you are saying?

If so, you'd best address the gigantic orange elephant in the room.

This is the nature of the right these days. They are the party of morals, for other people... Trump is going to be at false or misleading claim 10000 fairly soon here, and they don't bat an eye, they just make up some story about how heaven works in mysterious ways and he is the chosen one to fulfill those ways.

Ain't it convenient when you can just:
1. Start with a goal.
2. Support any actions taken to reach that goal as some convoluted will of god thing.

Really, if you have to apply, but its okay because, it probably isn't okay...

Re: Cute

That's how those type of people work. They attempt to take advantage of everything they can. People who don't do that are seen as fools to them. Why would you ever give up a personal advantage? Another well known example, Steve Jobs drove a different car everyday so he could illegally park in the handicap parking spot without getting a ticket. All to avoid walking a couple car widths. I'd bet most of the people in the higher levels of government have this attitude. She fits right in.

Re: Cute

[rsilvergun]

Don't you mean origin elephant?

Re: Cute

[Ol+Olsoc]

If you read the proposed law (https://www.warren.senate.gov/imo/media/doc/2019.4.2%20Corporate%20Executive%20Accountability%20Act%20Text.pdf) it "establish criminal liability for negligent executive officers of major corporations" who "has the responsibility and authority to take necessary measures to prevent or remedy violations."

So, if a corp has been found to be negligent in its handling of data, they aren't just fined, but the executives responsible can be sent to prison. She isn't an IT security expert. Neither are those executives. Still, there are industry standards. We would hold executives who manage our water supply responsible if it were sub-standard and they failed to correct the situation.

One of the best peices of advice I ever got was that if you want to fix a problem, you make it the problem of the person who can fix it.

Right now, there really is no actual punishment. People go tsk, tsk, a janitor gets fired, and it's onto where the stockholder's meeting is going to be held discussions.

If the guy at the top is looking at some serious punishment, he or she will make certain that data security is taken seriously.

Most all of these breaches have been over seriously simple stuff that never should have happened.

Re: Cute

[Ol+Olsoc]

And I do agree, "It is impossible to completely prevent a data breach". Its like trying to prevent a burglary or an assault. You can make it more difficult, but you can't stop it 100%.

Yup, and we tend to make perfect the enemy of good.

Re: Cute

Bah. Elizabeth Warren has never served in combat in the military, nor as a law enforcement officer walking beat.

I'm tired of these lefty politicians telling us how to run our legal system. Leave it to the cops and soldiers!

#MAGA
#ThinkAboutTheOranges!!!!!!!!

Re: Cute

[jeff4747]

Poe's Law can be annoying sometimes.

Re:Cute

You kids. You think you invented it...

Re: Cute

"She is the definition of incompetent"

She is the definition of that cesspool on the other side of the Potomac. And not alone either.

Re: Cute

[DNS-and-BIND]

Whataboutism ? That's your only reply? Warren didn't just lie, she falsely claimed to have Indian heritage when she did not. That's a HUGE crime by leftist standards. And yet she's in your tribe, and these things aren't wrong when you do them.

Re: Cute

[n3r0.m4dski11z]

"It is impossible to completely prevent a data breach and coming as close to it as you can would make it impossible for a company to actually operate."

Your post reads as "welp, massive data breaches are inevitable!"

I am glad i don't work for any company you work for!

Punishing executives *finally* would reign in these corporations. It sends a message; get your shit together or get out of the fucking game.

Re: Cute

After 45*, you have permanently lost the right to complain about anything a Democrat says or does, for all time. Period.

Re: Cute

She does have Indian heritage. So do I. Shut the fuck up, you trump sucking faggot.

Re: Cute

This tells me you know fuck all about security that you think that.

Re: Cute

[Uberbah]

Except she didn't lie, dipshit. She has a native ancestor, exactly as she says she was told by her family. One she didn't use to gain any affirmative action placement in any job.

What's really embarrassing about this, is how easy it is to hit Warren on this without being full of shit. Just ask her why, if she's so proud of this native ancestry, why she sat around with her thumb up her ass while native americans were being sprayed with firehoses in freezing temperatures while protesting the DAPL pipeline.

Re: Cute

... high-school grads to train on-the-job.

Brilliant!

HAHAHAHAHAHAHAHAHAHAHA.

If they wanted to train people, they would already be doing it. I'm seeing vacancies declaring 'entry level' and '12 months experience preferred'. If the employer demands experience, it's not 'entry level', that's false advertising.

If I've got 12 months experience and am half-way to my $.20/hr pay-rise, why would I quit and work another 2 years (with a different boss) before I get that pay-rise? This is bosses thinking people with jobs want to give him a pay-rise, not themselves.

Re: Cute

[DNS-and-BIND]

Uh, she got into Harvard just when they were desperate for minority applicants. It takes a special kind of naivete to think that was a coincidence. This is Harvard, the university that readily and openly discriminates on race.

Re: Cute

And here we see how a serial rapist like Bill Clinton became president and they cover for him to this day.
The DNC also supports KKK members like Northam without shame.

They also propose legalizing killing live babies and then tell you that you have no right to fly on an airplane.

This is the DNC today, infanticide while making you a criminal for eating steak. Congratulations on your moral superiority.

Re: Cute

[houghi]

In this area she is "incompetent" here expertise is in law and finance, she knows nothing about technology.

Therew is no need to understand technology to understand acountability.

The problems she is handeling are not technical problems, they are social problems.

If I tell kids that there is nbo need to look around when they want to cross the road, you do not need a traffic enigneer, you need a normal human with common sence, to understand that that is wrong. Even if they have right of way, it is still wise to pay attention.

This is about accountability. If the COO did everything in his power and there still is a zero day hack, he will go free. If there was negicence somewherem then he is accountable.

It has been a LONG time that people in power where held acountable in the IS that we all have forgotten how it should be. The fact that a law that does is is even needed shows this.

Re: Cute

Don't you mean origin elephant?

I don't get it.

Re: Cute

[Jason+Levine]

As a victim of identity theft, I can personally attest that the credit agencies don't just view this as "not their problem", but actively see it as the victim's problem. When my identity was stolen, a credit card was opened in my name and only a stroke of luck made the card go to me. (The card was mailed out before the identity thief's address change was processed.) When I called the company (*cough*Capital One*cough*) about it, they not only told me they couldn't give me information ("because if you go and shoot these people, we're liable" - but you're not liable for opening accounts under my name?!!). They insisted that my wife likely opened the account - when my wife was right next to me freaking out over this. Finally, they refused to let the police speak with them. They told the police that they needed to call a special line. That line went right to voicemail and it was never answered. I've heard of other times where credit agencies like Experian harassed identity theft victims, telling them that the fraudulent accounts would remain on their credit report unless the victims produced massive amounts of proof.

Basically, these companies treat identity theft and data leaks as minor annoyances. Close the account if someone complains, write off the tiny losses, push the burden of proof onto the victims, and then go back to raking in tons of money. If any actual laws are going to be put in place to protect consumers, fight those laws tooth and nail. They never suffer any actual consequences - just look at Experian's data breach. Millions of people's personal information leaked and what penalties has Experian suffered? They settled a $22 million class action lawsuit, but they earned $5.2 billion last year. I don't think 0.4% of their income really hurts them much. If I was fined $300, it might sting slightly, but it wouldn't really hurt. Especially not if what I was fined for made me that much in 1.5 days.

There need to be actual consequences or things aren't going to get better.

Re: Cute

[hiroshimarrow]

I would argue, that based on what you say (not saying it is or isn't true because I don't really care), then she is in fact a very competent and successful liar. That actually should be looked at as favorable for the job she wants, because every POTUS has lied through their teeth every day of their term, before their term, and after their term.

Re: Cute

So itâ(TM)s like sex then, right?

Re: Cute

That is not how it works sunshine.

Re: Cute

lol, would we? Youâ(TM)ve not heard about Flint Michigan then, I assume?

Re: Cute

I think you're missing the point. They're not being held accountable for the data breach. They're being held accountable for negligence that led to the data breach.

You don't go to jail for having a fire in your hotel. You WILL go to jail if you chained the firedoors shut.

Re: Cute

[Shaitan]

Yeah but you aren't following the tree. The COO knows nothing about it. The problem with holding someone accountable for doing everything they could is you are looking through a 20/20 lens of hindsight which never matches reality.

This is a set of books that no amount of accountability and budget can resolve. To people who aren't involved it sounds we in security are saying "oh we can't make it perfect so why bother" or the ever popular "its about raising the effort required to get in". But it isn't that. If we do everything per best practices with no exceptions people can't actually do their jobs and it breaks in ways that are difficult to explain to people who don't do their highly technical jobs. At some point, you can't dumb it down and still capture the detail and at it also becomes hard to remember all the details when you aren't in the moment. The jobs are ridiculously complex and you don't have the body count to catch things slipping through the cracks. Any company that genuinely had best practices applied across the board would spend more on security than it grosses. They are ALL going to look negligent in hindsight.

It is worse than that though. That is just best practices. But a bright attacker looks through a new lens and our strong sphere of security built on "best practices" instantly looks like a circle he is looking down on and can just poke right into the middle of. And there aren't three or four dimensions to be found, there are millions. Once you've seen that angle, you can't unsee it so again, any effort that has been made is going to seem negligent.

Re: Cute

[Shaitan]

In this case someone will always have some firedoors chained shut somewhere. If they didn't they wouldn't be able to do their jobs. There is no way to both follow all the best practices and operate in even close to a reasonable efficient way. There are things an exec could do to help if they legitimately understood that but it wouldn't eat into profits it would eliminate it and only reduce not eliminate the problem.

Re: Cute

[DaFallus]

And here we see how a serial rapist like Bill Clinton became president and they cover for him to this day. The DNC also supports KKK members like Northam without shame.

They also propose legalizing killing live babies and then tell you that you have no right to fly on an airplane.

This is the DNC today, infanticide while making you a criminal for eating steak. Congratulations on your moral superiority.

The medical term is called a fetus. Its not an infant until it is born, which coincidentally is exactly when "moral" conservatives such as yourself quit giving a shit and refuse to pay for any assistance.

Re: Cute

[Shaitan]

"So, if a corp has been found to be negligent in its handling of data, they aren't just fined, but the executives responsible can be sent to prison."

A sufficient amount of scrutiny will always find them negligent. It is impossible to operate without "negligence" when it comes to security. The fact is that most of the best practices exist for a reason, in practice do little to reduce risk, and dramatically hamper operations. The more strict you are in enforcing best practices the more negligent people will seem because they have to violate the rules in more and more brazen ways to get their jobs done.

Can you post on Slashdot from work? Use slack or any cloud services with third party personal? Are people allowed to have cell phones in your organization? Have on premise wifi? Do your developers spin up cloud instances and test things on them? All of those things severely violate security best practices and those are the least of them.

Re: Cute

[Shotgun]

Then how do you explain that every comparative study shows that conservatives contribute more to charities than leftists. Government redistribution is not "caring".

Re: Cute

[MooseTick]

"Elizabeth Warren has never served in combat in the military"

At her age and gender, she wouldn't have been allowed to.

Re: Cute

[MooseTick]

"I'm tired of these lefty politicians telling us how to run our legal system. Leave it to the cops and soldiers!"

You know, 3 of the last 4 presidents never served either. And the one who did was in the Air National Guard and never saw combat.

Re: Cute

If churches and special interest groups count as "charities" then sure. Republicans donate tons to organizations that try to shape the cultural and political landscape to match their own. But actual, effective and real charity? Fuck no. Not unless that "free" bread comes with a pamphlet on how to ask our lord and savior Jesus Christ into your heart.

Re: Cute

This is an issue that makes my blood boil. A credit agency with insufficient security gets together with a merchant who has insufficient security, a purchase is fraudulently made in my name, and somehow I'm responsible for cleaning it up? How about the credit agency and merchant clean it up? I was the only one of the three of us not present when the transaction took place. You push it onto me, you're not going to like the solution: I'll murder the presidents of the credit agency and the merchant, badly, and see if their replacements place a higher priority on securing my credit information.

Re: Cute

[ewibble]

https://www.youtube.com/watch?...

Re: Cute

[ewibble]

Lying is not a sign of incompetence, every one lies. Excessive lying is a sign of dishonesty, and should disqualify you being president, but it clearly doesn't. In a democracy it is up to the public to decide if that lying is excessive.

Re: Cute

[Scroatzilla]

Which of these CV items has anything to do with "competence"? I see "passing the bar" and "teaching" as things she has done. Having no law experience, I can't speak to the competence needed to pass the bar. I can only assume "competent test taker." As a former student, I have had both competent and incompetent teachers; so, regardless of where she has taught, why would I accept her teaching experience as evidence of her competence? In conclusion, why would I attribute "competence" to her ability to lead?

I will say that her Instagram beer video show *incompetence* when it comes to acting as a normal human being.

Re: Cute

[twebb72]

Agreed. Noteworthy, while people are flying off the rails about how she doesn't know 'tech' to describe this problem we have an actual business-case.

Equifax. They need to be heavily regulated to operate in their oligopoly. Regulation does not mean you need to know 'tech'. They left their front door unlocked, and filing cabinets available for all to see after business hours... they don't care about your data

They only care about making sure that those users who came in after hours are cut off from their 'free trial' turn into paying customers

Re: Cute

[twebb72]

They settled a $22 million class action lawsuit, but they earned $5.2 billion last year. I don't think 0.4% of their income really hurts them much

Experian's settlement of 22 million, is equivalent to a $124 to your average American

*Based on the median single income [not household] in America is roughly $31.1k per year in 2017

They leaked the personal information of millions. Their consequence was less than most speeding tickets to your average American.

Re: Cute

Try again, trumpflake

Re: Cute

[Uberbah]

Uh, she got into Harvard just when they were desperate for minority applicants.

Uh, except she never applied to anything as a minority candidate. Aren't you wingers supposed to be big on merit? I don't much care for Warren - because she hasn't actually changed since she was a proud Republican in the Reagan era, she only seems lefty because both parties have gone so very very far to the right - but she is a smart enough and hard working enough person to earn the positions she has held. Bill Clinton is a loathsome person, but even his most deranged haters on the right (he spent both terms pushing right wing policy yet you hate him for it) would have to admit he's a smart person and gifted politician.

That makes sense.

[XxtraLarGe]

It's better to hold the executive responsible rather than the managers or developers who chose poor security practices because s/he's the rich one!

Re:That makes sense.

not if management forced them to with time/money/'user experience' constraints.

Re:That makes sense.

I don't really know, but maybe the idea is to motivate the execs to stop cock-blocking IT dept's security budget.

Re:That makes sense.

If it was up to the security guys 100% of the budget would go to security practices, training, and equipment.

A lack of security is never ever the fault of those implementing them.

Re:That makes sense.

[PopeRatzo]

It's better to hold the executive responsible rather than the managers or developers who chose poor security practices because s/he's the rich one!

Do you know what "executive" means? Do you know why they make hundreds of times more money than the average developer? It's because they're supposed to be responsible. Of course you should hold the executive responsible for these breaches. They were the ones in charge.

   

Re:That makes sense.

[greythax]

Exactly, the rich one who has the power to tell the not rich one "forget about security, just get it done." Next time, maybe think about the topic for 10 literal seconds before posting.

Re:That makes sense.

[_Sharp'r_]

Naw, what this proposal would accomplish (if it actually passed and wasn't just a campaign talking point) is to increase the level of executive pay for anyone who might be caught and prosecuted under the law. Less people on the margin who want the job becomes less competition for the job becomes higher compensation for the job to attract the best candidates, the ones with other options. Basic economics, which Warren hasn't ever demonstrated she understands, of course.

Now let's see the laws about holding the government bureaucrats and politicians responsible for all their own many personal data breaches. Still waiting for that to happen...

Re:That makes sense.

Mgmt takes order from exec's. It usually executives who say, let's gather as much data as possible, retain it, and monetize it. They're the one's causing the risk by collecting unnecessary data to use to inflate shareholder returns

Re:That makes sense.

Sweet, so in revenge, I can write a deliberately subtle bug, and then the asshole CEO goes to jail. Go ahead and prove I did it deliberately.

Re:That makes sense.

[i.r.id10t]

Yup. And hopefully some protection for the poor geek at the end of the line, who is being told the CxO (or Provost in my case) is PO'd as heck and "just create those 100 instructor accounts with the same default password and tell them what it is to get them started" when the password still works and cant be changed after LDAP credentials are linked/added (after the other part of ITS did their job) ....

Re:That makes sense.

[sexconker]

If it was up to the security guys 100% of the budget would go to security practices, training, and equipment.

A lack of security is never ever the fault of those implementing them.

Staff, software, and equipment, sure.
Training or certification? Might as well burn the money.

Re:That makes sense.

[novakyu]

It's because they're supposed to be responsible.

PLEASE.

Re:That makes sense.

[PopeRatzo]

Sweet, so in revenge, I can write a deliberately subtle bug, and then the asshole CEO goes to jail. Go ahead and prove I did it deliberately.

That's not what happened here, but you do seem to grasp the correct usage of a red herring, you knob.

Re:That makes sense.

[Ol+Olsoc]

It's better to hold the executive responsible rather than the managers or developers who chose poor security practices because s/he's the rich one!

Has nothing to do with money. Has everything to do with who holds the power. Managers? not much. Developers, none. CEO? they want to protect those millions they make.

We've become so weird in this country. The part that is related to money is that with a big paycheck should come big responsibility. Yet we go in the opposite direction, making that big paycheck owner absolved and immune from all guilt.

Re:That makes sense.

[dryeo]

You're ignoring human nature. Executives would just think they can do the job, won't make stupid mistakes and won't be caught screwing up as they're better.

Re: That makes sense.

It's not a red herring, its a plan. How much do you think that flaw is worth? Win, Win. I get paid for my own petty revenge.

Re:That makes sense.

[n3r0.m4dski11z]

"Naw, what this proposal would accomplish (if it actually passed and wasn't just a campaign talking point) is to increase the level of executive pay for anyone who might be caught and prosecuted under the law. Less people on the margin who want the job becomes less competition for the job becomes higher compensation for the job to attract the best candidates"

Sorry, have you never met a poor criminal before? I guarantee they would jump at the chance to make 150k per year, despite the threat of possible jail. They are a criminal, so they already live with that threat daily.

You are basically saying that no one risks going to jail for low amounts of money which is hilariously not true. People take shit jobs for 30k a year and you don't think you can find someone to do a cushy executive one for far more than that?

 

"Basic economics, which Warren hasn't ever demonstrated she understands"

Some people will always want to be in a highly paid executive position. And you are saying she is the one doesn't understand basic economics?

Re:That makes sense.

[Skubman]

I get a giggle from your very correct train of thought. In the military, people personally liable (if you can't pay it back in three months salary, pack your bags for fed prison) for tens or hundreds of millions of dollars in cash only make around 60-90K a year.

When European bank managers said they needed salaries roughly equal to ten percent of their vaults (which might be close in responsible magnitude, if not less), I spat coffee. It's almost as if they then, and the tech execs soon, are willfully admitting to incredible risk, since they demand incredible compensation. So maybe a ground up security overhaul is needed.

In other thoughts, who the hell is managing Warren now? Two not shit ideas in a row, if you count here RTR talk.

Re:That makes sense.

executive pay is totally unrelated to candidates skill and responsibilities.

There is no correlation between executive pay and performance.
https://www.independent.co.uk/news/business/news/high-executive-pay-performance-ceos-link-negligible-study-a7498441.html

It's just insiders in the club all sitting on each others boards, playing golf together and agreeing on how brilliant they are and how much money they should be paid. They're above average at best. Executive pay will not be altered one iota by this proposal.

Re:That makes sense.

Two not shit ideas in a row, if you count here RTR talk.

You mean the idea she pitched, but never submitted legislation for, while campaigning in Iowa, a state with a high number of farmers and which doing poorly in the Iowa caucuses typically means you have to leave the primary race? The idea that is obviously meant to cater to the caucus members, with it being narrowly focused towards farm equipment, and not an actual good RTR idea.

Re:That makes sense.

[TimothyHollins]

No, you dongleberry, that is not how it works. An executive would get punished for *not doing enough*. If a corp such as Experian skipped securing the database because it was an unnecessary expense the CEO would face jailtime. If the code for securing the database was flawed but implemented, the responsible party would still be the programmer. The bill suggests that those CEOs that do not take sufficient measures face the music (for once), not that they have to debug the security measures by hand.

How about some actual USEFUL legislation...

[cayenne8]

...like maybe pass laws in the US, that stipulate that the individual citizens' data belongs to THEM and that they must opt IN in order for companies to collect and use in any manner, their data?

Roll it up in online and maybe expanded individual privacy rights? The right to be forgotten? Banning shadows accounts (facebook) on people that never even joined your system/applicaiton/social media...?

Now something like that might actually be healthy and helpful to the average US citizen....

Re:How about some actual USEFUL legislation...

[DarkRookie2]

Not really.
Most site do not need it.

Re:How about some actual USEFUL legislation...

[UnknownSoldier]

As opposed to everyone and their dog selling your personal information and them denying they have any shadow accounts on you when you don't even do business with them??? Is that really want you want???

No one claimed it would easy, only worth it.

I expect companies that profit from selling personal information to push back, hard, on this as it directly cuts into their bottom line,

Re:How about some actual USEFUL legislation...

or companies would be forced to keep only what information is required to complete a transaction, then dispose of it once that transaction is completed. yeah marketing would take a hit, but that's probably a net benefit to society.

Re:How about some actual USEFUL legislation...

[Merk42]

or companies would be forced to keep only what information is required to complete a transaction, then dispose of it once that transaction is completed. yeah marketing would take a hit, but that's probably a net benefit to society.

How would returning something work? The company would no longer have any evidence you purchased it from them.

Re:How about some actual USEFUL legislation...

[greythax]

The only way something like that would work is if it comes with a crap ton of regulators to enforce it. Which, I don't consider a bad thing, but in today's political climate of deregulation, do you honestly see that passing?

Re:How about some actual USEFUL legislation...

[cayenne8]

"...or companies would be forced to keep only what information is required to complete a transaction, then dispose of it once that transaction is completed. yeah marketing would take a hit, but that's probably a net benefit to society.

How would returning something work? The company would no longer have any evidence you purchased it from them.

Well, this would take a LOT of thought to do as a law, but it could be moderated by allowing info to be kept as gathered, in say..financial transactions, etc...where you do need records. BUT, stipulate it cannot be shared, distributed or SOLD outside of that company unless the person in question was asked and consented to it. Basically guarantee that wherever their data is gathered and kept, within a company for a specific reason....is kept there and doesn't go anywhere else for any reason that is not specifically granted.

And there should be no EULA's that blanket cover them when first gathering it. The EULA"s should be forced to be very specific for reason and what is kept, how long, etc.

Sure, is a PITA....but hey, something of this nature works fairly well for medical information HIPAA.

I should think something at least in that nature for ALL personal data could work.

Re: How about some actual USEFUL legislation...

Nah. Unless there is literally a specific law on the books (and not just some theoretical best practice to profit consultants) companies have no need to waste time.

Re:How about some actual USEFUL legislation...

Because bigger government is always the answer...

Re:How about some actual USEFUL legislation...

Because this isn't about achieving anything useful. This is a shakedown. Every regulatory expansion obligates lobbyists to show up with "campaign" contributions to influence the outcome. The bill targets the wealthiest party involved for precisely this reason.

Re:How about some actual USEFUL legislation...

[TheRealQuestor]

How would returning something work? The company would no longer have any evidence you purchased it from them.

In the same way we did it before the corporate takeover of the internet. It's called a sales receipt.

Re:How about some actual USEFUL legislation...

[jbn-o]

Your comments are doubly inactionable. You suggest that the proposed legislation is not useful but you don't say why you think it is not useful. And you don't write up legislation for your congressmembers that would implement what you think is useful. Lobby groups are well known to write legislation for Congress to pass; you should take your ideas and put them into language that can get passed (the legal equivalent of "code or ..." minus the foul language and telling people to not participate in free speech).

Re:How about some actual USEFUL legislation...

[dryeo]

Because bigger government is always the answer...

Well it seems to be an arms race with bigger corporations. What do you suggest? Surrender?

Re:How about some actual USEFUL legislation...

[aquacrayfish]

Given the current climate in the Senate, I struggle to come up with an idea for *any* bill to benefit voters that would need 60 votes to pass.

Re:How about some actual USEFUL legislation...

[Merk42]

How would returning something work? The company would no longer have any evidence you purchased it from them.

In the same way we did it before the corporate takeover of the internet. It's called a sales receipt.

Which the buyer used to just walk into the store and...hmm..where do they go if it's online only?

Re:How about some actual USEFUL legislation...

When I buy logistics supplies online, they mail me a paper invoice. I can have a purchase order generated too, if I choose to do so. There's nothing stopping other businesses from including these with their shipments.

Re:How about some actual USEFUL legislation...

[Shotgun]

A cryptographical document, signed with the companies private key?

It's 2019. This part isn't exactly rocket science.

About time!

[EzInKy]

Awesome. Somebody needs to be held responsible.

Re:About time!

+1

About time the tech industry to grew the fuck up and started acting responsibly.

Might actually get people to program and build systems with security in mind from the start rather than as an inconvenience taken care of at the end.

Re:About time!

[BlueStrat]

Awesome. Somebody needs to be held responsible.

I'd suggest this law is an excellent idea except it needs one small change.

Instead of CEOs and damage done from their negligence, lawlessness, and greed, substitute in State and Federal congressional/legislative members.

I know it'll never happen (wut!? vote to hold *ourselves* accountable!? LOLNO!) but that would solve metric shit-tons of problems including this one with a government that was not so corrupt and that actually represented the people occasionally and not the richest criminals so much.

The First Law Of Human Governance

"The larger, more costly, and more powerful a government is, human nature assures us that the more corrupt, unjust, and authoritarian it will be."

Strat

Re:About time!

[CrimsonAvenger]

Awesome. Somebody needs to be held responsible.

Yeah, never mind whether the guy held responsible had anything to do with the crime...

Note that most CEO's, while they may be responsible for the decision to gather massive amounts of data, aren't actually writing code, so holding them responsible for bad code is...questionable.

Re:About time!

Yeah, never mind whether the guy held responsible had anything to do with the crime...

Is the choice to pursue revenue streams at the expense of security to the extent that your company could be considered negligent in safeguarding its data a crime? That decision is not being made by the people writing the code. It's being made by the executives.

Re:About time!

So, human nature says that government by one - a physically powerful despot - is on the lower scale of justice, corruption and authoritarianism? Interesting.

Re:About time!

Reading comprehension is not your forte.

Sadly, not surprising.

Re:About time!

Note that most CEO's, while they may be responsible for the decision to gather massive amounts of data, aren't actually writing code, so holding them responsible for bad code is...questionable.

CEOs justify their salaries by taking the lion's share of responsibility from the decisions they and their underlings make.

CEOs should also take an equal share of blame.

Re:About time!

Can we jail this cunt when the government suffers a data breech?

Re: About time!

Hey hey hey....
CEOs take on a hundred percent of the CREDIT! They never agreed to take on LIABILITY! That's what the legally distinct subsidiary shuffle and peons are for.

Re:About time!

[Ol+Olsoc]

Awesome. Somebody needs to be held responsible.

Yeah, never mind whether the guy held responsible had anything to do with the crime...

Note that most CEO's, while they may be responsible for the decision to gather massive amounts of data, aren't actually writing code, so holding them responsible for bad code is...questionable.

The CEO is responsible to the stockholders. If the company gets rocked a bit by the number one guy going to jail, maybe getting a new boyfriend while there - they might have something to say about it.

Re:About time!

As long as they continue to hire contractors named Rajeev based on how little money they'll work for, the problem won't be going away.

Re:About time!

[dryeo]

Don't forget

The Second Law of Human Governance

Given a void in governance or a weakness, a corrupt, unjust and authoritarian group without any rule of law, will arise to fill the void

Now I understand that some prefer the East Indian type companies, or the type of company that ruled the Congo in the 19th century and would also prefer warlords but personally, that is not my preference.

Re:About time!

The code is bad because the coders were told to write it sloppy and quick, not carefully and contemplatively.

Most coders want to write good, clean, safe code. It's bosses that get in the way of that ideal 99% of the time.

Of course, I wish these coders would just quit and blab to the tech media about the experiences that inspired them to leave, but the sad state of the job market has made it so that good people will put up with bad things to prevent worse situations from happening in their personal lives.

Re:About time!

[BlueStrat]

Don't forget

The Second Law of Human Governance

Given a void in governance or a weakness, a corrupt, unjust and authoritarian group without any rule of law, will arise to fill the void

Now I understand that some prefer the East Indian type companies, or the type of company that ruled the Congo in the 19th century and would also prefer warlords but personally, that is not my preference.

Totally agree. Sadly, governments are a necessary evil.

The government structures that have seemed to work best in practice overall from a populations' perspective are of the distributed-power sort that operate with some form of democratic representation alongside a relatively free market, which together tend to leverage human nature to benefit all as opposed to the centrally planned and controlled sort which attempt to overcome human nature to ultimately benefit a select few.

Strat

Re:About time!

[dryeo]

Yes, Democracy, as shitty as it is, seems to work better then the other alternatives, ideally you get some balance, eg the over regulators against the under regulators and most important, regular changes in government. it seems all governments get complacent and corrupt after a while, usually 8-10 years it seems.
The problem with the free market is keeping it free. You can have government interference and private interference, and even worse the private interference working through government. Capitalists, who thrive under a free market, hate it as the goal is to have a non-free market where people are forced to use products due to monopolies and cartels.

Re:About time!

Must not be a software engineer. A lot of this stuff is really difficult, and on top of that, this is analogous to your house getting broken into, and that means you get to hold the lock maker responsible. Usually even making a best effort to protect internal data doesn't make it safe.

Waitaminute

[cahuenga]

You can't treat us like people!

Re: Waitaminute

Oh but we can treat you like people, you cute little funny little people you with your long days and your mundane ache and pains

Re:Waitaminute

[mjwx]

You can't treat us like common people!

TFTFY

Pointless

[alvinrod]

This won't pass anyway, but even if it did what's really going to change if we can't enforce existing laws against executives when they perpetuate fraud or break other laws?

If you really want to make companies care about security and data privacy, make it easier for consumers to sue companies in civil court for these kinds of breaches. Companies care far more about threats to their bottom line, and are going to respond far more quickly to things which threaten it.

Re:Pointless

[jeff4747]

Companies care far more about threats to their bottom line, and are going to respond far more quickly to things which threaten it.

Equifax says "Hi", and would like to remind you that they exist. Also, they made way more money by not paying for decent security than they lost in fines and lawsuits.

Re:Pointless

Hence "make it easier for consumers to sue companies in civil court for these kinds of breaches". Equifax should have had to pay out several billion for their gross negligence.

Won't work

All that will do is make people sign EULAs that they don't read to waive their rights to ensure that nobody gets sued, like the stupid little boxes at the bottom of webpages now that nobody wants to mess with.

Meet the CDBSO!

[EvilSS]

Meet the CDBSO: Chief Data Breach Sacrificial Officer! Selected from the working peons, the CDBSO is catapulted from his labors in the basement IT room to the top floor with a plush closet and low 5 figure salary! Should a data breach occur, the CDBSO will lead the charge... sheet in a federal indictment.

Re:Meet the CDBSO!

And when a breach happens... He is catapulted into that giant lake of fire over there. Thus the system works!

Re:Meet the CDBSO!

[sconeu]

Or, as they called it on "How I Met Your Mother", the

"Provide Legal Exculpation And Sign Everything" (P.L.E.A.S.E.).

Re: Meet the CDBSO!

NSA = Never Sign Anything

Re:Meet the CDBSO!

[Antique+Geekmeister]

I believe the acronym you're looking for is "PLEASE", "Provide Legal Exculpation And Sign Everything". The relevant TV clip is here:

https://www.youtube.com/watch?...

Re:Meet the CDBSO!

[EvilSS]

Yea, that's how we lost our last CDBSO. We originally called his position PLEASE and got sued by CBS Studios. He's currently serving life without parole in a studio cafeteria in Burbank.

shes got my vote

it about time someone proposed a bill like this.

Re:shes got my vote

How about not lying about your race on your college entrance paper work.

Re:shes got my vote

Or how about not lying about everything. Like the President.

Re:shes got my vote

One "I didn't know they were doing that" or "I hire experts to handle those things, I can't learn everything" and "Our corporate policy signed by me says not to do that" and the law is near useless. It's a feels good measure instead of a workable plan. Don't be fooled so easily. You don't want to vote for someone who uses such tactics. Sadly they all use these tactics.

The President is the head of the armed forces, not the creator of new laws. If you want her to make such laws, you don't want her as president.

Re: shes got my vote

"If you like your doctor you can keep your doctor"... Barack Hussein Obama

Re:shes got my vote

One "I didn't know they were doing that" or "I hire experts to handle those things, I can't learn everything" and "Our corporate policy signed by me says not to do that" and the law is near useless.

Not really.

It's damn easy to secretly bring a recording device to work. Spy cameras cost less than $200 and have pretty decent resolution, audio quality, battery life and memory capacity.

If a corporate network administrator is at a meeting with the higher-ups, proposing a new set of security upgrades and measures, and the CEO bullies him into forgetting about it and just focusing on releasing the damn video game before Christmas or whatever, he can record that conversation for later.

Should a data breach ever occur, and the CEO wants to play dumb, or pass the buck downstream claiming it was a "rogue operation", this recording can be submitted as evidence.

Everyone should be recording their bosses anyway, especially if they're shady motherfuckers who swindled you into selling your soul for a salary.

Re:shes got my vote

If she's running against Donald "My father was born in Germany, and the sounds of windmills cause cancer" Trump, then being overly proud over 1/64th of her genes – 50 years ago – doesn't really seem inexcusable.

A politician holding someone accountable?

[GregMmm]

I fully back this IF the politicians, like Elizabeth Warren, can also go to jail for their failures. I'm sure she will agree to this......

Otherwise, how will this be workable? So you're telling me a CEO who is sitting on top of a corporation, who is multiple layers of operations removed is to be held responsible for data leaks? What about the people who are supposed to be applying the privacy policies? What about the engineers and technicians? This just seems like a "witch hunt" and political posturing.

Her statements make it sound like the CEO is trying to "cheat their customers" by having a security breach? There's nothing in it for the CEO if there is a security breach. If a CEO is stealing from someone, then ya, book them.

This seems like a way to get some vote and wanting to stick it "to the man". I'm sure it will feel good, but it's not going to change security breaches in large corporations.

Re:A politician holding someone accountable?

[serviscope_minor]

So you're telling me a CEO who is sitting on top of a corporation, who is multiple layers of operations removed is to be held responsible for data leaks?

Yes.

What about the people who are supposed to be applying the privacy policies?

what about them? They ultimately take their orders from the CEO.

What about the engineers and technicians?

Fuck you you snivelling little shitstain.

You think the technicians with the low salaries right at the bottom are somehow when the "profits first" CEO is puttng on all the pressure to cut corners etc? Fucking corporate apoligist. Of course you want the little guy to get it in the neck while the big rich man gets off.

Screw you.

There's nothing in it for the CEO if there is a security breach.

Are you simple?

Yes, yes you are.

There's money in it for the CEO to ruthlessly cut expenses to maximise profits.

Re:A politician holding someone accountable?

[Krishnoid]

Is this about breaches or fraud? If breaches, sure, any large retail company will be subject to breaches. But fraud? Start with the big banks that foreclose on houses that aren't theirs, open unrequested accounts, or launder money for drug dealers. The first two at least meet that category.

Re:A politician holding someone accountable?

[skids]

I fully back this IF the politicians, like Elizabeth Warren, can also go to jail for their failures. I'm sure she will agree to this......

You should be. For example she's introduced a bill that could put her in jail if she owned any individual stocks (along with all the other Senators, Congressmen, and much of the White House.)

Maybe RTFB? It probably says what it considers "negligence".

Re: A politician holding someone accountable?

How come nobody asks the little guys where they want to get it?

Re:A politician holding someone accountable?

consider moving out of the basement.

Re:A politician holding someone accountable?

[GregMmm]

Wow someone has some real anger issues, and yes I am simple. I like it that way.

This is the reason I posted what I did. This is an emotional response to try and solve a problem. Let's look at this if it was deployed:

1) Company XYZ has a security breach. Data is compromised. Firstly, the CEO is packing his bags at this point (joke)
2) Politicians beat their chests and say how bad it is the data is exposed and this can never happen. Hang the CEO!!
3) The CEO goes to jail, perhaps their family is destroyed, etc. That will show them.
4) Company XYZ still has the same people in charge of security. The ones who were responsible for the security holes still work there.
5) A new security policy is put in place and plans of action are made to make sure this will never happen again.
6) New CEO make statements of how security is now our main focus and really drills it to his minions. (like security wasn't before, but this time we mean it)
7) 1 year passes, people move jobs, lessons are forgotten, rinse and repeat.

But by golly, we got that CEO. That will learn them.

This is why I say this is bad legislation and would be a waste of time. Heck, how about using the law to take out other CEOs from other companies. Hack them and expose some data. Where's my pitchfork!!

Do you see it working another way. I'm always open to different ideas and am interested.

Re:A politician holding someone accountable?

You don't know what a communist is, do you?

Re:A politician holding someone accountable?

[serviscope_minor]

Wow someone has some real anger issues,

Not really, I'm just tired of shitheads advocating to fuck over the people with the least power. Congrats, you're one of those shitheads.

3) The CEO goes to jail, perhaps their family is destroyed, etc. That will show them.

Yes, the CEO put profits above user data. That's a crime and he went to prison.

4) Company XYZ still has the same people in charge of security. The ones who were responsible for the security holes still work there.

did the CEO increase security's budget by enough? Nope. So he's the one ultimately at fault.

But by golly, we got that CEO. That will learn them. /em.

Yeah it will. te next slew of CEOs will think "hmm maybe I could make a bit lees money and NOT got to prison. How about that?"

And then fund security properly.

Problem.

solved.

Re:A politician holding someone accountable?

The shit-stain is you. Your entire thing is a straw man argument, assuming CEOs only care about maximizing profits by cutting costs, and you then go on an insulting rant. You don't know what a CEO does.

CEOs are not responsible for cutting costs. THey are responsible for growing the value of the company. Sometimes they do that through cost cutting measures, and sometimes they do that through growing revenue. At best they can set policy, but others need to execute. Can the CEO be responsible for bad code written by his team? Or maybe good code but hacked by someone better?

AMEX had a databreach in 2013 that wasn't detected until 2016. The CEO of AMEX's job is to think about financial markets and provide better products for millions of credit card holders, not data security. Particularly because the breach wasn't even theirs, it was a third party vendor who had a data sharing agreement that had poor code and thus AMEX data was stolen, but not from AMEX servers. Subsequently AMEX stock price dropped 10% in 5 days, wiping out $9B in investor's value. Is the CEO responsible for the bad code written by a third party vendor, even though it's AMEX data?

Your worldview is too simple to understand what is that I'm talking about, and honestly it's that simplicty that Elizabeth Warren is betting on with this legislation because ultimately she's just trying to stay relevant with her Presidential campaign since she's already screwed it up.

Re:A politician holding someone accountable?

[cdsparrow]

Yeah, but history shows us the mob loves to kill some rich folk, lol.

The next law will be just to prekill the CEO before the breach happens.

Re:A politician holding someone accountable?

[az-saguaro]

Yes, the CEO is responsible.
That does not mean that all CEO's are cheats.
But, a company that is expected to abide the law and whatever model of decency and good citizenship is expected, it is the CEO who oversees all that the company does to be in compliance.
CEO's can err by acts of commission, the evildoers.
They can err by acts of omission, failing to keep the company in line even if it was all an honest mistake or oversight.
The CEO is responsible for what the company does, just like the captain of ship.
If a boat captain runs his ship aground, the Navy doesn't say,"gee, we know you didn't mean to run over the beach and boardwalk, so we'll let bygones be bygones." That is what responsibility is about.

Unless there is some system of carrots and sticks, incentives to keep them on track and doing the right thing, then the evildoer acts of commission have a greater risk of rising.

The CEO is always the ultimate responsible party, and the bigger the breach of decency, public perception, corporate stewardship, the trust of their customers-shareholders-employees, and compliance with the law, then the harder they should fall or be reprimanded.

The maintenance people, the secretaries, the engineers and technicians - they are not the problem. It is odd that you would think so for even a moment.
Poorly performing and corrupt CEO's and corrupt boards of directors, those are the problem.

Re:A politician holding someone accountable?

[GregMmm]

Ah, just give the security group more money. This doesn't take out the human element of an employee being lazy, reckless, etc. More money just sounds like a government solution, but I will concede this could help.

I hope you're kidding about the putting profits before user data. Of course they do. Are they not in the business of making money, not in the business of protecting data. I'm not saying they are or not, just lets be real... profit. Also, I'm not going to invest in a company if it's #1 priority is not to make profit. And please don't get righteous. If you want to open a business that's sole concern is security, go for it.

I also can't agree with the CEO learning from the last one. History proves that time and time again. Also, greed is a great motivator to make a buck.

I like how people get called names for post their opinion. Great thing is, It doesn't bother me.
You have your opinion and I have mine. I of course think mine is better. I can't draw the same conclusions.

Re:A politician holding someone accountable?

[serviscope_minor]

Ah, just give the security group more money.

Yes.

This doesn't take out the human element of an employee being lazy, reckless, etc.

Hire better people. No crunch deadlines etc. You know a good way of hiring better people and having enough to avoid crunches?

More money just sounds like a government solution,

governments successfully run the things that are too hard for companies to run.

Are they not in the business of making money, not in the business of protecting data.

The CEO is personally heavily invested in not going to prison, moreso likely than maximising profit.

Also, I'm not going to invest in a company if it's #1 priority is not to make profit.

A company has no priority, there are only the priorities of the people that work there.

I like how people get called names for post their opinion.

Having an opinion is not a magical shield from criticism or censure. there's nothing virtuos about having an opinion. If you have a sufficiently stupid opinion, expect to get called an idiot. If you have a sufficiently obnoxius one, expect to get called something else.

Re:A politician holding someone accountable?

Just like history shows that the wealthy love to fuck over the less wealthy?

This is the problem with having an opinion that's purely based on emotion and rhetoric. You don't have any concept of nuance and just sling shit like a monkey.

Next you'll be telling me that the people who are hired to be the public face running a company, and who are paid the most handsomely for that privilege, should be exempt from the responsibilities that come with that position. After all, executives clearly suffer enough whenever they royally fuck up, as the public record clearly shows.

Re:A politician holding someone accountable?

I see a dozen posts like this and I can tell you the legislation is nothing like what you describe. Stop derping for a minute and actually read and maybe learn something:

This legislation *already exists* - for medical devices. You can be damned sure that if a medical device company executive doesn't direct his employees to perform due diligence and conform to regulations over the entire lifecycle of the device *and* that device ends up hurting or maiming people then that executive is going to jail.

However, that legislation does not mean that medical devices won't kill people even when proper design controls are followed. Medical devices have, can, and will be approved by the FDA that meet all of the guidelines and will still kill people, simply because humans are fallible. An executive directing a device team that happens to kill people will not go to jail *if* they have enacted the correct policies and procedures as per FDA regulations.

The proposed legislation is just copying medical device legislation to apply to data breaches. If the CEO/CSO/CISO properly directs his team and has policies and procedures in place to follow best security practices/due diligence and there is a data breach anyway they won't go to jail. The point is to prevent those executives from explicitly prioritizing profits over securing consumer data.

In short, this legislation is actually a good thing, despite what your tiny, knee-jerking brain might be feebly attempting to think about it.

Re:A politician holding someone accountable?

[khchung]

how will this be workable? So you're telling me a CEO who is sitting on top of a corporation, who is multiple layers of operations removed is to be held responsible for data leaks?

YES, the CEO can always CHOOSE to have his company NOT STORE such data in the first place, and the CEO can always CHOOSE to spend more on data security.

Data leaks could happen only because the CEO chose to store such data AND did spend enough on data security.

Re:A politician holding someone accountable?

[Ol+Olsoc]

Wow someone has some real anger issues, and yes I am simple. I like it that way.

This is the reason I posted what I did. This is an emotional response to try and solve a problem.

Actually, there is no need for emotion. Just have people have some responsibility.

The concept that the Top person at a company is a relatively new idea. Once upon a time, old Harry Truman noted that "The Buck Stops Here".

Today, it appears that today's version the CEO is alomst immune from any kind of prosecution. No responsibility to anyone at a company, or to the nation. Their only responsibility is to the stockholders, and not the law. You have to be exceptionally corrupt, like Elizabeth Holmes of Theranos infamy to have any actual repercussions.

Re: A politician holding someone accountable?

[kenh]

So the CEO assumes responsibility for every decision a company makes? Wow, that's a big responsibility, I mean, that means everyone that works at the company avoids responsibility for any problems, because ultimately the CEO is responsible. Heck, if I was going to take on everyone's redponsibilities I'd think I deserve 50-100x the average employee's wages.

Re:A politician holding someone accountable?

[WaffleMonster]

The CEO is responsible for what the company does, just like the captain of ship.

Nice tagline, what does it actually mean? Every Captain says they are responsible for their ship.

If a boat captain runs his ship aground, the Navy doesn't say,"gee, we know you didn't mean to run over the beach and boardwalk, so we'll let bygones be bygones." That is what responsibility is about.

Captain Kelly ran the Enterprise a nuclear powered aircraft carrier aground and was promoted a few months later.

Captain Larrobino was not charged when a sailor was having a bad day and panic tossed a lit magnesium flare into a weapons locker nearly destroying a different aircraft carrier while killing 44. After the cause was found (manufacturing defects in flares) everyone who had been court-martialed was cleared.

Some captains (Schettino, Avranas) deserved much worse than they got.

Facts matter not nonsensical abstract ideology.

The CEO is always the ultimate responsible party, and the bigger the breach of decency, public perception, corporate stewardship, the trust of their customers-shareholders-employees, and compliance with the law, then the harder they should fall or be reprimanded.

Fuck that the CEO should be liable for their actions not for what happens in the abstract.

My god we are talking about people being held blanket liable for the criminal acts of completely unrelated people, criminal organizations or governments committing illegal acts working against the interest of a corporation. Where does the fucking madness end? You attack me and I go to jail? Give me a fucking break.

What is especially disgusting about this legislation is the blanket conversion of civil liability into criminal liability without regard for what it even is.

Re:A politician holding someone accountable?

[Uberbah]

So you're telling me a CEO who is sitting on top of a corporation, who is multiple layers of operations removed is to be held responsible for data leaks?

Yes.

Sort of like how the military is happy to fire a base commander after a serious fuckup. The commander might not have done the fuckup himself, but he was in charge of those who were, so his career is effectively ended.

Re:A politician holding someone accountable?

[Uberbah]

I fully back this IF the politicians, like Elizabeth Warren, can also go to jail for their failures.

Like what. What do you mean by "failure" in the context of an elected senator. You talking something reality-based like not engaging in insider trading, or libertarian derp like "failing" to single-handedly end deficit spending?

Re:A politician holding someone accountable?

[Solandri]

3) The CEO goes to jail, perhaps their family is destroyed, etc. That will show them.

Yes, the CEO put profits above user data. That's a crime and he went to prison.

Generally, financial crimes don't involve prison time because there's no physical harm done. The economic harm is pretty easy to eliminate simply by adjusting the economics. i.e. You make the fine for putting profits above user data security so large that no CEO will put (typical) profits above user data. There's no need for prison sentences; that's just malicious victim-blaming because you're unable to find the thief. Remember, the CEO of the company holding your data isn't the one who stole your data - some hacker did. That's the true criminal. At worst, the company inadequately protected your data, or collected data that you may not have particularly wanted them to collect but you agreed to let them do it. Both are problems which are easily solved with economic disincentives. No need for prison.

The dynamic that's going on here is that in property theft, if the company that's holding property has it stolen, they're out the stolen property. That financial loss creates an incentive for them to adequately protect that property in proportion to its value. But in the case of data, the "stolen" data is merely copied by the thieves. The company is not out the data, and their ability to use it in whatever manner they previously were to generate revenue, is unaffected. The lack of that economic loss when they're hacked is what creates the entire problem. So the simplest solution is just adding an economic loss as a disincentive.

If you immediately jump to prison sentences, the only thing you're going to accomplish is making all these companies move their operations overseas, with all their executive officers located outside the U.S., and only keeping operational staff in the U.S. Your data will still be stolen just as it is now, because you didn't want to add an economic disincentive, and the companies found it easier just to move their executive officers out of the country rather than have them face prison time.

Re:A politician holding someone accountable?

[cbraescu1]

Your opinion doesn't count because you're a SJW and a defender of SJWs.

Re:A politician holding someone accountable?

[cbraescu1]

You realize you're trying to reason with unreasonable, extreme-left-wing SJWs?

Re:A politician holding someone accountable?

And what happens if the CEO puts forward a mandate to not store such data ever, and some employee stores it anyway behind the backs of all his superiors?

Re:A politician holding someone accountable?

Then you investigate.

I'm pretty sure this law isn't as simple as "Data Breach = CEO Jailed", but it will look at the CEO as the usual suspect, much like how a spouse is the usual suspect in a murder case. Not instant conviction, but instant suspicion. If the CEO cooperates with the investigation and helps them find the real person responsible, the CEO won't even need to stand trial.

Re:A politician holding someone accountable?

Found the "temporarily embarassed millionaire".

Re:A politician holding someone accountable?

[strikethree]

Everything in this post except ONE thing is good, accurate, and relatable.

What about the engineers and technicians?

Fuck you you snivelling little shitstain.

The issue isn't with the hostility; although it is counter-productive. No, the issues is that you automatically dismiss ALL responsibility that the lower layer people have.

Everyone has a part to play here. The CEO is "where the buck stops" and the CEO and CIO should BOTH be held primarily accountable.

Regardless, a simple lowly engineer can also be egregiously negligent and they should be held accountable too if they are demonstrating willful negligence. None of this absolves the CEO and CIO, but everyone needs to be accountable; otherwise, the "downtrodden" (seriously, update your worldview) can just fuck over the CEO and entire organization without worrying about being held accountable.

Does that sound like Social Justice to you my fine warrior friend? If it does, you are working against your own fucking goals. ;)

Re:A politician holding someone accountable?

[h4x0t]

Corporations are profit driven top down organizations. Decisions are made at the top. Checks are written from the top. Historical failings of security are the result willful negligence from the top.

Re:A politician holding someone accountable?

[AmiMoJo]

Unless the CEO is personally going to pay the fine out of their own pocket, jail time is the only effective deterrent.

Otherwise they will just ignore security, rake in the quarterly bonus on slightly higher profits and then bail out with their fortune when there is a breech.

I'd require mandatory insurance against data breeches. The insurance companies will ensure good practice and audits take place. In the event of a breech the CEO will either be a genuine victim of a sophisticated attack that could not reasonably have been prevented, or guilty of insurance fraud and/or negligence.

Even if there is no criminal case the insurance company will sue them into oblivion if they didn't act responsibly.

Re:A politician holding someone accountable?

[AmiMoJo]

Oh no, you suggested that the government might be good at something! No wonder someone modded you "-1 troll", I mean there mere suggestion that the government isn't utterly incompetent and corrupt is offensive and triggering.

Re:A politician holding someone accountable?

Drink! Amimojo telling other people what they're thinking when they press that downvote!

Extra drink for dismissing dissent as triggered haters the same way Trump would.

Re:A politician holding someone accountable?

[serviscope_minor]

Oh no, you suggested that the government might be good at something! No wonder someone modded you "-1 troll", I mean there mere suggestion that the government isn't utterly incompetent and corrupt is offensive and triggering.

Ha! yeah. Teh gubbmint si teh ebul is sort of an axiom around here. Challengeing it is an affront to freeze peach and must be downmodded.

Re:A politician holding someone accountable?

[serviscope_minor]

Yes. SJW are wrongthink. Free speech is only for edgelords.

Re:A politician holding someone accountable?

[Bigjeff5]

You clearly haven't thought through the economics of this, at all.

Most companies are managed at the top by a board of directors. These directors hire a CEO based on their ability to maximize profits to the shareholders.

How long do you think a CEO will last when he consistently costs his company tens to hundreds of millions of dollars, potentially even billions of dollars, in fines due to data breaches?

I don't know any of the proposals on the table, but just imagine if the fines were something relatively simple like $1000 per individual's data compromise. That doesn't seem like a crazy number to me.

Now consider that the recent Facebook data breach was estimated to be somewhere around 200 million to 600 million users affected. That's $200 billion to $600 billion in fines. Hell, even if it's 1/10th of that, a $100 fine per incident, that's still $2 billion to $6 billion. Granted, that 200 billion won't all be in the US, but I'll bet 100 million isn't too far off for the US alone.

There isn't a company on the planet that isn't going to pay attention to a billion dollar fine. You think the CEO is getting off with a golden parachute if he lets something like that happen under his watch? You think another company will decide to choose him as their CEO after a loss like that? I highly doubt it. I highly, highly doubt it. That CEO's career is over.

Add the Government to that list

[gettin2old]

They hold more data on people than anyone on government computers. and they have proven they can be hacked. (OPM, etc.)
They should be required to take just as much care of it than any business. And they should face the same penalties. Maybe even retired Execs on whose watch systems stagnated for 10 or more years.

It'll never fly

[SlaveToTheGrind]

All successful legislation has some sort of memorable/cute/catchy acronym. "CEA" just doesn't cut the mustard. Something like the Corporate Responsibility After Pwnage Act would have had a much better shot.

There goes her Facebook support.

Cowboys and Indians..

Do we charge homeowners for being burgled?

[Ken+McE]

Do we charge homeowners for being burgled? This incentive would encourage companies to *never* report breaches, or minimize what they report even more than they do now.

I admire the sentiment, but this is not the way...

Re:Do we charge homeowners for being burgled?

[DogDude]

That's not a good analogy. When you have something stolen from your house, it doesn't damage other people. When my data is stolen, it harms me.

Re:Do we charge homeowners for being burgled?

[FFOMelchior]

Terrible analogy. They're not stealing the homeowner's stuff, they're stealing OUR stuff.
A closer analogy would be if someone broke into Public Storage and my stuff got stolen. If it could be proven that Public Storage was negligent (didn't spend money on increased security, even after being warned thieves where in the area), then yes, they should be charged with breach of conduct.
This analogy is closer, but still not all the way there, because we're dealing with a Public Storage that's somehow storing my stuff even when we don't sign up for it.

Re:Do we charge homeowners for being burgled?

[Miles_O'Toole]

No, we don't charge homeowners from being burgled. But of course, that's an analogy so flawed only some kind of corporate-owned troll would even raise it.

Re:Do we charge homeowners for being burgled?

You can possibly be liable if your firearm isn't properly secured and is stolen and used in a crime.

You can be liable if kids sneak into your backyard and drown in your pool, because you didn't have the right kind of fence.

As for warren, this is just virtue signalling for her presidential run. There's no intention to get these bills she keeps proposing passed, she's just throwing shit at the wall to see what sticks.

Re:Do we charge homeowners for being burgled?

If not your stuff, it's stuff they have about you. There's a big difference. If you don't like that, then that's the issue you should be addressing.

Re:Do we charge homeowners for being burgled?

[i.r.id10t]

Not quite. Otherwise there wouldn't be laws regarding the safe secure storage of firearms, laws requiring immediate report of theft of firearms, etc.

Not that most of us gun owners wouldn't do all of that anyway... but you know... gotta pass laws.

^ Dumb faggot detected.

I guess someone needs to dox this AROS anus...

As long as congress members can be charged/jailed

As long as congress members (house or senate) can be charged and jailed for data breaches in their respective offices...

Racist

[DogDude]

Fuck you, you racist asshole.

Yes, it will make things more expensive for companies. I think it's worth it. I would imagine most sensible people think it's worth it. If you don't care, why don't you post your personal info here?

Re:Racist

[ARos]

Nothing racist about calling Elizabeth Warren "Pocahantas" whatsoever. She is not Native American, and took advantage of our racist school admission policies to gain admittance over potentially more qualified candidates.

I didn't say that I didn't care about privacy: I just said that it shouldn't be mandated on companies by the government. There is a market out there, and you should be free as a consumer to decide what services you want and what fits your budget. If you want a service that offers greater security guarantees at a higher cost, then you should be free to pay for it. It's childish to suggest that companies that offer services for free (in exchange for data used mostly anonymously for analytics) should have their leaders exposed to personal liability on behalf of consumers who have signed privacy policies. No one is sticking a gun to your head and saying "use Google" or "use Facebook". If you care so much about privacy, create a company that does a better job than other companies at privacy.

Re:Racist

[DogDude]

1. She did not use her heritage to gain admittance to any school. That's a lie.

2. Using the word "Pocohantas" is, indeed racist.

3. The free market is not the guiding principle of our entire society. We need regulation. the free market isn't a cure-all.

4. Yes, company leaders do need to be exposed to personal liability. If not, then who is held accountable for a crime by a large company? The millions of stockholders? Should we arrest everybody who owns a share of stock of a company when that company breaks the law? I'd bet that 99% of people with an IRA or 401(k) own shares of Google, Facebook, etc, at least indirectly.

Re:Racist

Wow, the quality of trolls has seriously gone downhill over the years. Now they're arguing that the leadership of companies who control our data should have no liability because they "have a policy." Yeah, you try holding Google accountable and/or liable according to their own policies sometime. Not to mention this fantastical myth that people gave away their rights for a "free" service. If it was free it would not cost us that data, and we wouldn't be here arguing about the consequences of that cost. And Google wouldn't even have to put up a bullshit "policy" that tries to protect them for their use of that data.

Re:Racist

Saying she lied and then making fun of her is racist how leftist tool?

Re:Racist

1. Yes she did.
2. Only if you're a commie tool
3. Yes it is. Fuck you commie.
4. You should be held accountable. You.

Re:Racist

Fuck you racist commie.

Re:Racist

You're right, it was to gain admittance to the Texas state bar association. Now, we'll never know what role it played, if any, but we can say with absolute certainty that she attempted to use it to gain an advantage.

Here it is in her own hand writing. https://twitter.com/AmyEGardner/status/1092941590555971585/photo/1

Also, since when is name calling racist?

racism:
a belief or doctrine that inherent differences among the various human racial groups determine cultural or individual achievement, usually involving the idea that one's own race is superior and has the right to dominate others or that a particular racial group is inferior to the others.

A white guy calling a white woman a name doesn't seem to fit the definition of racism. I'm sure you've got a convenient definition different than the literal dictionary definition that will suit your needs, but shit, you are pathetic.

Re:Racist

Not to mention this fantastical myth that people gave away their rights for a "free" service. If it was free it would not cost us that data, and we wouldn't be here arguing about the consequences of that cost.

Yeah, I'm sick of that too, and I'm also sick of the "if it's free, you're the product" apologist bullshit among those who think they know better about how this game works.

I've been using free software and operating systems for over ten years and never been forced to give away my data to anybody. Not once.

What?

[DogDude]

What in the hell are you talking about? You have to hold the people in charge accountable, not the people who follow orders.

Re:What?

[ShanghaiBill]

You have to hold the people in charge accountable, not the people who follow orders.

The lesson from Nuremberg is that both have to be held accountable.

Applies to Government too?

Does it apply to the government also? Because they'd have to send themselves to jail due to the US voter database breach alone.

https://digitalguardian.com/blog/top-10-biggest-us-government-data-breaches-all-time

Worthless

[Dirk+Becher]

EU did this with their data protection act. The result was that every time you opened Google or any other Google service that a banner popped up telling you to authorize them to do whatever they were doing without your consent to that point. If you didn't confirm, you couldn't use any Google service anymore. Imagine telling that to your boss if work needs to be done...

Re:Worthless

Because EU they didn't do the remaining part, which is: Require services be functional even if you refuse to let them spy on you.

Re:Worthless

[Cederic]

I believe you haven't read Article 7, section 4 of the GDPR.
https://gdpr-info.eu/art-7-gdp...

Re:Worthless

[AmiMoJo]

Actually no, that would not comply with GDPR and is not what Google does.

Under GDPR it is not allowed to tie provision of services use of personal data that is not essential to providing said services. In other words you can't be forced to agree to non-essential processing just to use Google search.

Google displays a box asking you to review your privacy settings. If you ignore it, they legally can't use your data for non-essential purposes. It has to be opt-in. Eventually they will create a pop-over, but you can still click "remind me later".

They really want you to agree of course, but can't force you too.

Re:Worthless

[argStyopa]

^ and this is exactly the point. Window dressing that changes actually nothing.

If I could mod the op up +100 I would.

When was the last time you ACTUALLY clicked "no" to that ubiquitous (now) popup? Never? So what the FUCK is it actually good for. Congratulations, we all now are reminded you're tracking us...only a moron wouldn't know that in the FIRST place.

Re:Worthless

[Dirk+Becher]

- The idea of having personalized privacy settings is itself wrong because individualized privacy settings means that Google has to determine your identity somehow which they are NOT supposed to do! And they even want you to log in with a Google account to perform that task!

- The privacy settings offered (opting your data out for search results and advertisement etc.) are likely only the peak of the iceberg what Google does with your data. There is tons of legal gibberish. Who guarantees me that setting all this stuff will deprieve Google of all data processing except for the one necessary for fulfilling my search?

Todd Weaver speech...

Todd Weaver made an excellent speech approaching this very topic in a slightly different way:
https://puri.sm/posts/the-future-of-computing-and-why-you-should-care/

How about the Politician Accountability Act?

[magzteel]

How about instead she proposes the "Politian Accountability Act"?

"The Politician Accountability Act is yet another push from Warren who has focused much of her presidential campaign on holding corporations and their leaders responsible for both their market dominance and perceived corruption. The bill, if approved, would widen criminal liability of "negligent" politicians when they commit crimes, repeatedly break federal laws, or harm a large number of Americans by way of civil rights violations, including their data privacy. "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail," Warren wrote in a Washington Post op-ed published on Wednesday morning. "But when politicians oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts."

Don't use APK's shit software

APK's software is complete shit and hosts for security is a complete joke. APK Hosts File Engine is a glorified string sorting program and offers no real security. It can't even do wildcards like blocking *.facebook.com, let alone any sort of whitelisting to protect from unknown threats. Hosts just aren't a good solution. Plus, APK won't open the source to his program, so there's no telling what sorts of malware is lurking in those binaries. Avoid it at all costs. The software is complete shit and so is its author.

Opinion with no underlying understanding?

[Futurepower(R)]

Very likely she knows NOTHING about technology.

Re: Opinion with no underlying understanding?

Oh stop it it, script kiddie!

Re: "My father was born in NYC, Germany" - Dumbass

God i luv /.

Did Amazon make 1 Billion last year?

I know they paid no taxes, so I'm guessing they didn't.

Elizabeth Warren is a symptom of the problem in this country. We have a bunch of crap law makers and they have infected this country with crap laws.

Not from the Democrats

[tomhath]

Democrats have done everything they can to sabotage the current administration rather than looking for a way to get things done by compromising.

As a result, they will not get anything passed that they want. She knows this bill has zero chance of getting out of committee.

Re:Not from the Democrats

[pslytely+psycho]

Just as the Republicans did to Obama, so what's your point?
That tactic is now being used against them and all of a sudden it's a problem? They fucking invented it.

https://www.politico.com/story/2010/10/the-gops-no-compromise-pledge-044311

https://www.politico.com/magazine/story/2016/12/republican-party-obstructionism-victory-trump-214498

http://apps.frontline.org/divided-states-of-america-the-frontline-interviews/moments/the-opposition-strategy.html

Ass, meet bite.
Just wait till roles reverse again (they always do) and the D's use the Nuclear Option for confirmations. The R's will have a shit fit then as they didn't learn the consequences when the D's did the same thing, which of course, came back to bite the D's in the ass.

Politicians never fucking learn. When you use dirty tactics, expect them to be repaid in kind. Karma baby!

Re:Not from the Democrats

I like that you don't like your own medicine.

Re:Not from the Democrats

The R's will have a shit fit then as they didn't learn the consequences when the D's did the same thing, which of course, came back to bite the D's in the ass.

Just like Wrestler A is shocked when Wrestler B picks up a chair and hit him in the back of the head even though Wrestler A did that same thing in the previous match?

Politics: Professional wrestling for people too snobby for professional wrestling.

Re:Not from the Democrats

It was wrong then, and it's wrong now. There's no "all of a sudden it's wrong" here, and gleefully gloating just seems so tone-deaf to the fact that our political system is in shambles.

Re:Not from the Democrats

you're exactly why this country is in the state it's currently in.

xenophobic mf

Why the cutoff?

Why only above $1 billion? Make $0.999 billion and it's okay to be irresponsible with security?

Re:Why the cutoff?

If you're clever, you'll split your own company into multiple companies right before hitting the billion mark. Every time one of those gets close to a billion, keep dividing. You could have a nice big family of companies if you're successful enough, with zero data protection liability!

Sounds a bit like a SARBOX bill but for privacy...

[CFD339]

SARBOX makes executives personally responsible for the accuracy of the financial data they put out. This has made them get serious about the source of that financial data within their own company. Maybe a bill like this would help with privacy the same way.

Would this include our government officials?

I'm wondering, as our government has had data breaches in the past, does this apply to our government officials? They make well in excess of a billion dollars, repeatedly break federal laws and harm large numbers of Americans. Wikileaks would be a treasure trove of lawsuits.

Privacy is a red herring

[rsilvergun]

You care about privacy to protect what you have, and what you have gets less and less every year.

This isn't a shot at tech companies. She just did that so it's harder to criticize her (after all, the tech companies just love liberals). No, this is a shot at the folks who crashed the economy in 2008. After that working class Americans lost trillions in wealth. That wealth wasn't destroyed, it was pocketed by the rich. It was the single biggest wealth transfer in my life. Maybe in history.

The trouble here is we focus to much on how Facebook knows what color car we like best or our favorite restaurant and not enough on the massive wealth grab that happens every 10 years when corrupt businessmen and politicians crash the economy and then buy up our assets at rock bottom prices while we're laid off.

Re:Privacy is a red herring

Yes. Keep all divided while laughing all the way to the bank that they created.

The law doesn't just apply to tech firms silly

[rsilvergun]

it applies across the board, and includes lots more provisions to punish corrupt CEOs like the folks who crashed our economy in 2008.

The reason she's focused on tech firms is that the media narrative is that the tech firms and the Democrats are in cahoots, so that anything she proposes to regulate to general businesses would be framed in that narrative ("why are you going after such and such and leaving Silicon Valley alone Ms Warren, hmmmm?"). This is a smart political move to defang one of the chief distracting narratives that would normally be used against her. It hurts the bill a little bit with techy nerds, but we're a tiny, tiny minority, and a lot of us (like me) see what she's doing there.

English ain't source code

[Tablizer]

A common problem with laws like this is it's hard to write legal verbiage precisely enough to have teeth yet not be so specific that it leaves work-arounds and loopholes.

If you use generalizations and leave interpretation to judges and juries, they'll confuse it every which way, often depending on the manipulation prowess of the lawyers involved.

It may do nothing but make lawyers rich and everybody else confused.

She's a real Cherokee Injun

Pocahontas and Creepy Joe have no chance of beating Trump in 2020, sorry Slashdot libtards. Don't forget Israel can meddle and collude all they want and nobody will investigate shit.

Blame Shifting

[l0ungeb0y]

This does nothing but shift the blame from the Hackers to the Execs while doing jack shit to address the issue. What the Government needs to do is introduce a National Data Security Standard and most likely an Agency to work with Universities and the Industry to Draft that standard as well as be proved a means of oversight and enforcement. The Government should also provide free tools, services and libraries that the public can use to secure their data in accordance to those standards. But I fear that anything the Government tries to do would result in more confusion and chaos than anything, and most likely harm or outright destroy tech innovation from small sized startups

Re:Blame Shifting

Of course that's what it is. Who do you think has more money to be confiscated by government in the name of the proletariat in a kangaroo court that makes mockery of actual justice?

Government doesn't want to go through the trouble of finding far flung hackers. It's easier to go after people who are forced by law to stay close enough to government for them to be assaulted by it when it is politically convenient.

Can't we have someone who ...

[WaffleMonster]

Is there any candidate who both isn't corrupt and NOT an obnoxious rabid zealot?

the term 'covered corporation' means a corporation that generates more than $1,000,000,000 in revenue on an annual basis

Why should how much a company makes dictate CRIMINAL liability of executive officers? Why should during an off-year when yearly revenues dip below some magic threshold the same executive officer have less CRIMINAL liability or vis versa? Why should executive officer of a small million dollar company have less CRIMINAL liability for the same exact behavior as a larger company?

Making law that targets people you don't like so specifically in this way is a practice I find particularly sleazy and disgusting.

It shall be unlawful for an executive officer of a covered corporation to negligently permit or fail to prevent a violation of law described in paragraph

Leave it to the lawyers to keep trying to make everyone liable for something even if they had nothing to do with it. Its getting old.

(C) any criminal or civil violation of Federal or State law, for which the covered corporation was convicted or found liable, as the case may be, that was committed while the covered corporation was operating under a civil or
criminal judgment of any court

Nice a law that turns arbitrary uncategorized unspecified civil violations into criminal ones.

Re:Can't we have someone who ...

[jeff4747]

Why should how much a company makes dictate CRIMINAL liability of executive officers?

Because such a company has sufficient resources to actually fix the security holes identified by their security team.

Also, plain-ol' negligence gets the job done on smaller companies. Larger ones just factor the cost of fines and/or lawsuits into the decision.

Why should during an off-year when yearly revenues dip below some magic threshold the same executive officer have less CRIMINAL liability or vis versa?

Such line-crossing is not all that common. And you have to have some line to differentiate between a Mom-and-Pop and Equifax.

Why should executive officer of a small million dollar company have less CRIMINAL liability for the same exact behavior as a larger company?

The smaller company is usually restrained by the danger of lawsuits - they could actually destroy the business. Executives at larger companies (there's a reason I cited Equifax above) aren't.

Leave it to the lawyers to keep trying to make everyone liable for something even if they had nothing to do with it.

You should probably learn a bit about the concept of Negligence before commenting.

"We got hacked" isn't negligence. "Sir, There's a massive security hole here!", "I don't want to spend the money to fix it" is. The executives are in charge of making such a decision. That's why they get the big bucks.

Nice a law that turns arbitrary uncategorized unspecified civil violations into criminal ones.

Well, the fine executives over at ol' Equifax decided it was cheaper to just keep the security holes in place, and paid a pittance in civil liability.

Re:Can't we have someone who ...

[WaffleMonster]

Because such a company has sufficient resources to actually fix the security holes identified by their security team.

This is completely absurd on its face. It doesn't take a billion dollars of revenue a year to do this.

The smaller company is usually restrained by the danger of lawsuits - they could actually destroy the business

What is the relationship between effect of lawsuits on company and sending people to jail for CIVIL liability?

You should probably learn a bit about the concept of Negligence before commenting.

Negligence is whatever you can convince a judge and or jury negligence is.

"We got hacked" isn't negligence.

You're a big company you get hacked you get fined and sued no matter what the facts of the situation is. You could be fully compliant with whatever security standards exist and it won't do you a lick of good.

Well, the fine executives over at ol' Equifax decided it was cheaper to just keep the security holes in place, and paid a pittance in civil liability.

Is this supposed to be some kind of justification for conversion of CIVIL liability into CRIMINAL liability? If public and lawmakers are unhappy about low fines they can change the laws to address the issue specifically. There is no need to pull stunts like this. It's especially egregious given the standards of proof are different for each category of crime. Linking them in this manner effectively bypasses important process protections.

Re:Can't we have someone who ...

[jeff4747]

This is completely absurd on its face. It doesn't take a billion dollars of revenue a year to do this.

So, not familiar with the concept of "revenue" then? 'Cause revenue is not operating budget.

The line is drawn here such that these regulations would only affect very large companies. Because it's those very large companies that are not being reined in by plain-ol' negligence lawsuits.

What is the relationship between effect of lawsuits on company and sending people to jail for CIVIL liability?

The lawsuits are ineffective at getting very large corporations to care.

Let me put it this way: In a lawsuit, you can recover the value of what you lost. Someone destroys your car, you can sue and get the value of your car.

I was affected by the Equifax hack. Legally, the value lost to me in that hack is $0.

I am not a party to any transactions where that data has value (Equifax and it's customers), so I'm not out any money. "Someone may commit credit card fraud in the future" is not a basis for winning a lawsuit. If someone actually did commit credit card fraud, I would have to prove the data came from the Equifax hack and not, say, the Blue Cross hack where my data was also stolen. And that's not possible due to all the middlemen involved in getting that data to the people who actually commit fraud.

At best, I could demand Equifax pay for credit monitoring for some very limited period of time. And since Equifax already provides that service, they are out a very trivial amount of money - it costs them almost nothing to turn on the monitoring software they already have.

Which means civil liability provides exactly zero disincentive to Equifax's executives.

Negligence is whatever you can convince a judge and or jury negligence is.

Nope, it has an actual legal definition.

You're a big company you get hacked you get fined and sued no matter what the facts of the situation is.

And as I demonstrated above, the cost of those fines and lawsuits is negligible, and thus provides no disincentive for being negligent.

Heck, golden parachutes mean there's virtually no incentive for executives to avoid negligence even if fines were astronomical. They'd still make a ton of money before the shit hit the fan, and the shit hitting the fan is zero impediment for getting a new job (Hi Bob Nardeli!)

Re:Can't we have someone who ...

[WaffleMonster]

Negligence is whatever you can convince a judge and or jury negligence is.

Nope, it has an actual legal definition.

A legal definition whose outcome rests primarily on what a "reasonable person" would do.

So, not familiar with the concept of "revenue" then? 'Cause revenue is not operating budget.

In effect you are making fun of yourself. You were the one who originally asserted a relationship between revenue and operating budget when you said "such a company has sufficient resources to actually fix the security holes"

The point I was making is clear to any reasonable person. You don't need to be making a billion dollars a year to have the resources to "actually fix security holes identified by their security team".

The line is drawn here such that these regulations would only affect very large companies. Because it's those very large companies that are not being reined in by plain-ol' negligence lawsuits.

Yea well this justification sucks. If the penalties are insufficient petition to have them changed so they are sufficient. She could have done that. Instead she elected to turn the legal system into a game of magic the gathering.

I was affected by the Equifax hack. Legally, the value lost to me in that hack is $0.

At best, I could demand Equifax pay for credit monitoring for some very limited period of time. And since Equifax already provides that service, they are out a very trivial amount of money - it costs them almost nothing to turn on the monitoring software they already have.

Which means civil liability provides exactly zero disincentive to Equifax's executives.

You've communicated what you see as a problem. I'm probably on board with the premise a problem exists. This piece of crap legislation sure as hell isn't the solution to anything.

You can do any number of things legislatively that would be infinitely better than this piece of shit scheme.

- Outlaw Equifax's business model of collecting shit on everyone without their knowledge or consent and selling it would be swell.

- Adjust penalties so damage inflicted scales with company so there is no such thing as too big to pay fines.

Sending people to jail for the fruits of criminal actions executed against them is immoral and outrageous in my view. So some tech goon didn't fix a vuln fast enough. What if the attackers exploited a 0-day nobody knew about instead and got in that way? Would anything change? Would you be any less pissed? Would Equifax be any less liable? What if it was an insider who got divorced, wife got the house and went crazy? Would it make any difference?

And as I demonstrated above, the cost of those fines and lawsuits is negligible, and thus provides no disincentive for being negligent.

The central issue here is problem and solution don't match up. If your issue is fines are too damn low. Petition to make them higher.

Heck, golden parachutes mean there's virtually no incentive for executives to avoid negligence even if fines were astronomical. They'd still make a ton of money before the shit hit the fan, and the shit hitting the fan is zero impediment for getting a new job (Hi Bob Nardeli!)

It's good to be king. Don't like it? Jealous? Vote for the one promising to send the king to jail!!

Please

[kenh]

Define "negligent" executives - is it "negligent" to hire a competent staff, but the staff makes a mistake?

Re:Please

[jeff4747]

is it "negligent" to hire a competent staff, but the staff makes a mistake?

Nope.

It is negligent to hire a competent staff, have that staff warn you about security issues, and you decide to save money by not fixing them.

The more difficult line to draw is just how incompetent does your staff need to be before it's negligence. But that's what judges and juries are for.

Risk vs Reward

[nehumanuscrede]

I'm all for this bill to be honest.

This is how the military operates. Take a ship for example.

If you are the Commanding Officer of a ship, then everything about that ship is ultimately your responsibility. Good or bad.
If something stupid happens it's YOUR fault because there is likely something YOU could have done to prevent it.
( Be it better training for your crew, better judgement from your Officers, knowing everything about your ship inside and out, etc. etc. )

You don't get to blame it on a scapegoat. YOUR command, YOUR responsibility. Period.
Your glory if you get it right, your shame if you don't.

The same thing should apply to the CEO's of any corporation.

If you want the big salaries, they should come with real risks. Not Golden Parachute retirements while everyone else goes down with the ship.

The risk alone will deter all but the most serious candidates to even apply for the job.
Hell, it may even ensure that CEO's take security seriously. ( for once )

Re:Risk vs Reward

[WaffleMonster]

If you are the Commanding Officer of a ship, then everything about that ship is ultimately your responsibility. Good or bad.
If something stupid happens it's YOUR fault because there is likely something YOU could have done to prevent it.
( Be it better training for your crew, better judgement from your Officers, knowing everything about your ship inside and out, etc. etc. )

You don't get to blame it on a scapegoat. YOUR command, YOUR responsibility. Period.
Your glory if you get it right, your shame if you don't.

Sounds great. Only problem it's demonstrably false.

Captain Kelly ran the Enterprise a nuclear powered aircraft carrier aground and was promoted a few months later.

Captain Larrobino was not charged when a sailor was having a bad day and panic tossed a lit magnesium flare into a weapons locker nearly destroying a different aircraft carrier while killing 44. After the cause was found (manufacturing defects in flares) everyone who had been slapped on the wrist or court-martialed was cleared.

The risk alone will deter all but the most serious candidates to even apply for the job. Hell, it may even ensure that CEO's take security seriously. ( for once )

The problem with this rhetoric is none of us have any idea what "take security seriously" means. Is it even possible to be exonerated of responsibility for a breach even if you had the best security in the world? Is there a system in existence where in hindsight you couldn't get someone to point out what shoulda coulda woulda? Has any corporation ever in history ever once been exonerated in a breach?

Do ends justify means?

Are commanders held liable by default for lost personal and equipment as a result of enemy action?

Re:Risk vs Reward

[Miles_O'Toole]

If I had mod points, I would absolutely give you one.

Make it apply to Congress

Introduce one that sends Representatives and Senators to jail, and I'll listen.....

Equifax Executives

Send those corrupt Equifax executives to Vietnam. They will know what to do with them.

https://www.pri.org/stories/2014-04-03/vietnam-sentencing-corrupt-bankers-death-firing-squad

This would put the rest of the executives in the United States on notice.

If you think that this is a sarcastic post, think again. Corrupt executives have destroyed many lives recently, causing people to lose their homes, jobs, and life savings. Corrupt executives became rich while doctors prescribed their opioids that people become addicted to and died. These executives don't need golden parachutes, they need concrete shoes.

Yay

yay something else designed to take down companies that can compete with corporate China.

What will happen

CEO calls corporate attorney in and asks what processes and paperwork need to be in place to 100% cover his ass under all circumstances, even cases of gross incompetence, negligence, malice, etc. somewhere within the organization. Attorney answers with Stuff That Looks Like Trying Really Hard. New committees to review all decisions, mandatory training for all sorts of people, prime placement in the company's Core Values statement, etc. CEO snaps his fingers and dictates that all of these should pop into existence. They do, in some godforsaken form or another.

Whether or not they accomplish anything is perfectly irrelevant. When a data breach occurs, the CEO's team of company-paid attorneys amasses a pile of Stuff That Looks Like Trying Really Hard, which is all it takes to beat a negligence charge. Unfortunately for the state, it isn't dealing with the namby-pamby bar of a civil case, here. This is "beyond reasonable doubt" territory. Oh, you'd get to kick a few folks with it every once in a while, but it would do little to change anything because they would only be those who ignored the need to paper over the risk. What the law would utterly suck at is prosecuting the difference between papering over the risks and actually mitigating them. Thus execs would only need confidence in their paperwork, not their actual security.

Re:What will happen

What if the prosecution summons the network administrator to the bench, sworn under oath, and gets them to confess about how things really went down whenever he brought up the subject of security? If the police involve the admin while building evidence on an investigation, they could have him wear a wire and record the higher-ups trying to sweep shit under the rug and delay patches and pentesting, purely for cost-cutting reasons.

It's about due diligence, not impossibility

[Uberbah]

It is impossible to completely prevent a data breach

Good thing that's a straw man, then. If your network is attacked by a zero-day exploit, particularly one done by a state intelligence agency, then there's not much you could have done and thus you wont face prison time. You host critical customer data on an unpatched Windows 2008 Server machine that's open to the internet? You're going to jail.

Return the stolen land to her people!

Her people has been treated badly for too long!

Put Shoes on Both Feet

I am 100% in support of this as long as we hold government responsible for every terrorist attack that it fails to prevent, and every murder that gun manufacturers fail to prevent, and every car crash that auto manufacturers fail to prevent, and every cut that knife manufacturers fail to prevent, and every harm conceivable from any product that its manufacturer fails to prevent.

That's a really bad analogy.

[sabbede]

"When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail,"

But if a bank gets robbed, and the bank's customers' money is stolen, we don't put the bank manager in jail, we put the robber in jail. A corporation that got breached is far more like a robbed bank than it is a pickpocket.

If she wants to change the law to call a corporation that fails to do its due diligence in protecting user data criminally negligent, that's fine. If she wants to take a company that was taking reasonable precautions but got breached anyway, and send the executives to prison for having been robbed, that's absurd.

Re:That's a really bad analogy.

[strikethree]

It is not a bad analogy but it is being framed wrong. But let's work with the path you are going down:

But if a bank gets robbed, and the bank's customers' money is stolen, we don't put the bank manager in jail, we put the robber in jail. A corporation that got breached is far more like a robbed bank than it is a pickpocket.

What if the bank didn't bother to protect itself against robberies? No silent alarms, no policies and procedures, etc?

Sure, you can not "really" prevent a robbery, but you can limit the damage and you can limit the ease with which a bank can be robbed and you can limit the amount of expected success.

If a CEO of a bank decided that security was not important and failed to implement known-effective security measures, don't you think that CEO should be held responsible for their banks getting robbed?

Re:That's a really bad analogy.

agreed

Re:That's a really bad analogy.

[WaffleMonster]

If a CEO of a bank decided that security was not important and failed to implement known-effective security measures, don't you think that CEO should be held responsible for their banks getting robbed?

I would be curious if anyone is able to cite just one single solitary instance of a major data breach where the company holding data was deemed to have "sufficient" safeguards in place and therefore wasn't held responsible for the attack.

A 9/11's worth of people die each and every DAY in car accidents adding up to well over a million deaths a year. Are automobile companies really doing everything they could possibly be doing to prevent all these deaths? Should executives be placed in death row?

Every time someone dies in a car accident response is crickets. No outrage, no calls for heads to roll, no prospect of jail time for auto execs. People seem to be hard wired to care about single events that affect many and ignore many events that affect a small number of people.

Show me an accident and I'll dream up some way it could have been avoided and point to technology that could have been used to do so.

Show me a data breach and I'll dream up some way it could have been avoided and point to something that could have been done to prevent it.

Show me a few lines of source code and I'll rattle out and endless array of problems.

For some reason society seems willing to tolerate breathtaking numbers of people being constantly turned into road kill yet there seems to be no example of even a single instance where responsibility for any major breach on earth was not assigned to the company that was the victim of an attack.

You can think making people responsible for what happens to them is good or bad. You can believe it's great because it improves security or wrong to send people to jail for not doing enough to stop attacks.

What I'm having trouble with is existence of evidence to support the notion a CEO who pressed for implementation of "reasonable" security measures still wouldn't be held responsible if they were bypassed anyway. There as a practical matter seems to be no standard that is "good enough" to withstand the public freak out associated with events that adversely affect countless millions.

Right now corporations can even be hacked by foreign governments (Marriott) and still face being fined to kingdom come for failing to defend against hostile actions by foreign nations.

Is there in reality a standard anyone can follow that would absolve them of responsibility if attack is successful anyway?

A specific example: A can be deemed to be in full compliance with all PCI requirements to the letter of the published standard. Yet if there is a breach the company can and if big enough most certainly WILL be held responsible and fined for the breach anyway.

If the standard in reality is that people (corporations are people my friend) are held liable for every transgression against them no matter what that's not something I can support.

Re:That's a really bad analogy.

What if the bank didn't bother to protect itself against robberies? No silent alarms, no policies and procedures, etc?

What if the girl didn't bother to protect herself against rape? No mace, guns, knives. No martial arts training. Just dressing like a "slut" in public all day "asking for it"?

Sure, you can not "really" prevent a robbery, but you can limit the damage and you can limit the ease with which a bank can be robbed and you can limit the amount of expected success.

In some countries if you get raped you go to jail or worse. There are people on earth numbering in the millions who don't see a problem with this.

I find it interesting how the theory of holding victims responsible for criminal acts against them appears to be arbitrary based entirely on subjective whims and sensibilities of the beholder.

You didn't have enough deadbolts and failed to reinforce door frame. It's your fault you were robbed.

It's your fault you got shot. You failed to protect your home against bullets even though you knew full well other shootings have taken place in the neighborhood.

Fortunately I don't suffer from the same mental deficiency many of you appear to be suffering from.

It is quite easy for me to say sending the victim of a crime to jail for functionally being a victim is fucked up PERIOD. No matter what the circumstances this is not even remotely acceptable behavior.

Re:That's a really bad analogy.

[strikethree]

I would be curious if anyone is able to cite just one single solitary instance of a major data breach where the company holding data was deemed to have "sufficient" safeguards in place and therefore wasn't held responsible for the attack.

Not a company, but Snowden did quite a number on the NSA. It wasn't their negligence that allowed him to do what he did.

Corporate examples are harder to come by because they don't advertise when they have been attacked.

Is there in reality a standard anyone can follow that would absolve them of responsibility if attack is successful anyway?

Well sure. If you follow standards and/or procedures, you are covered. If all you are doing is checkbox security, someone will get in, but you can at least point to all of those checked boxes and absolve yourself from legal responsibility.

If the standard in reality is that people (corporations are people my friend) are held liable for every transgression against them no matter what that's not something I can support.

Agreed. It is an impossible standard stating it like that. There are numerous security standards that you could subscribe to, such as FISMA, but to not subscribe to any standard is clear evidence of negligence.

Re:That's a really bad analogy.

[WaffleMonster]

Not a company, but Snowden did quite a number on the NSA.

This isn't responsive to my question. The information he gave to the press didn't directly endanger countless millions of people.

Well sure. If you follow standards and/or procedures, you are covered. If all you are doing is checkbox security, someone will get in, but you can at least point to all of those checked boxes and absolve yourself from legal responsibility.

I welcome any evidence of this ringing true WRT *ANY* major data breach.

Re:That's a really bad analogy.

[strikethree]

I normally do not reply to Anonymous Coward, but I like your thinking: Apply all standards equally across the board.

What if the girl didn't bother to protect herself against rape? No mace, guns, knives. No martial arts training. Just dressing like a "slut" in public all day "asking for it"?

Well, she will likely "pay" for her negligence through getting raped. Is she supposed to be arrested or some financial related penalty? The penalty *IS* the rape.

Since you applied your logic like this, I am assuming that you think I am excusing the rapist. No. No I am not. The rapist will hopefully end up in prison with a full sentence to serve.

In some countries if you get raped you go to jail or worse. There are people on earth numbering in the millions who don't see a problem with this.

Yep. I recall seeing that 12 year old girl get stoned (the bad kind) by Al Shabab because she was raped. I do see a problem with that, but I am unsure why you thought that relevant to bring up.

I find it interesting how the theory of holding victims responsible for criminal acts against them appears to be arbitrary based entirely on subjective whims and sensibilities of the beholder.

Are we having a conversation or have you gone off the deep end here? Let's bring this a little closer to reality so we can discuss this coherently:

Let's say you left your 12 year old daughter with an adult friend of yours for a few weeks. You find out that your daughter was raped.

Would you be upset at your friend for letting your daughter go out virtually undressed and walk down dark alleys in bad neighborhoods alone? Why or why not? Would you blame your friend for her rape? Why or why not?

You didn't have enough deadbolts and failed to reinforce door frame. It's your fault you were robbed.

I like it. More "applying standards equally" here.

You are wrong here. If you put in a deadbolt and reinforced the frame on your door, there was no negligence.

It's your fault you got shot. You failed to protect your home against bullets even though you knew full well other shootings have taken place in the neighborhood.

Um... you do realize that we are discussing culpability due to negligence?

Fortunately I don't suffer from the same mental deficiency many of you appear to be suffering from.

Well... that is true. You are not suffering from the same mental deficiency, but there is a deficiency there.

It is quite easy for me to say sending the victim of a crime to jail for functionally being a victim is fucked up PERIOD. No matter what the circumstances this is not even remotely acceptable behavior.

And... there is the proof.

We are discussing culpability due to negligence but you mixed it up with personal responsibility to yourself with all of the examples provided.

I honestly recommend you discover why you mixed it up this badly. It is a sign telling you how you are messed up. For your sake, I hope it is only because you are smoking too much weed.

Good luck.

Re:That's a really bad analogy.

[strikethree]

This isn't responsive to my question. The information he gave to the press didn't directly endanger countless millions of people.

You should make that claim about endangerment to the US Government because they sure believe he did endanger countless millions. But I do see your point, kind of. My point was that the NSA took reasonable measures to protect their data and the head of the NSA deserves no flack/legal culpability for the fact that Snowden walked away with the crown jewels. (Well, they do, but for entirely different reasons). I think that is responsive to your question. If not, I can come up with other examples but this example clearly demonstrates the idea of culpability.

Well sure. If you follow standards and/or procedures, you are covered. If all you are doing is checkbox security, someone will get in, but you can at least point to all of those checked boxes and absolve yourself from legal responsibility.

I welcome any evidence of this ringing true WRT *ANY* major data breach.

I suspect you got lost somewhere along the way? We are discussing a *proposed* law that has not taken effect yet. There can be no legal penalties without a law to specify such, so of course there are no examples of a CEO being held accountable or not accountable. Yet.

Demonstratable fact vs. your bs

https://tech.slashdot.org/comm... too many others say differently (registered /. peers, security pros, results etc.).

* YOU? Lose...

REPOST EDIT You also do NOT want facts in that link I posted above shown (hence you tried to "downmod hide" it last time I posted this very post, here https://tech.slashdot.org/comm...

APK

P.S.=> You have issues libeling me that way... apk

Hold Tech Execs Responsible For Data Breaches

Elizabeth Warren Introduces Bill That Could Hold Tech Execs Responsible For Data Breaches

2 words: Never Pass!!

both ways

[Micah+NC]

By that token, perhaps politicians (e.g. senators) should be held responsible for government data breaches.

E.g. the Office of Personnel Management breach of 2015.

Re:WoW! Never thought I'd agree w/ her but... apk

apk, you're a weird one, I won't deny that, but I gotta say... I'm actually glad to see you here participating in discussion, without having to throw in a promotion for your software. That was good of you. Please understand, why most people don't like you is mainly the hosts file stuff. I personally wouldn't mind seeing more of your opinions on here, but please find another place for promoting your creation.

Time to change the title from 3 Felonies a Day to

Four or more.

Next, Turing's Halting Problem responsibility.

[laxr5rs]

Next we are going to make Execs take responsibility for Turing's Halting Problem, and for the correct interpretation of Quantum Mechanics.