Slashdot Mirror
Elizabeth Warren Introduces Bill That Could Hold Tech Execs Responsible For Data Breaches (theverge.com)
On Wednesday, Sen. Elizabeth Warren (D-MA) introduced a new piece of legislation that would make it easier to criminally charge company executives when Americans' personal data is breached. From a report: The Corporate Executive Accountability Act is yet another push from Warren who has focused much of her presidential campaign on holding corporations and their leaders responsible for both their market dominance and perceived corruption. The bill, if approved, would widen criminal liability of "negligent" executives of corporations (that make more than $1 billion) when they commit crimes, repeatedly break federal laws, or harm a large number of Americans by way of civil rights violations, including their data privacy. "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail," Warren wrote in a Washington Post op-ed published on Wednesday morning. "But when corporate executives at big companies oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts."
Roll it up in online and maybe expanded individual privacy rights? The right to be forgotten? Banning shadows accounts (facebook) on people that never even joined your system/applicaiton/social media...?
Now something like that might actually be healthy and helpful to the average US citizen....
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Awesome. Somebody needs to be held responsible.
Time is what keeps everything from happening all at once.
I fully back this IF the politicians, like Elizabeth Warren, can also go to jail for their failures. I'm sure she will agree to this......
Otherwise, how will this be workable? So you're telling me a CEO who is sitting on top of a corporation, who is multiple layers of operations removed is to be held responsible for data leaks? What about the people who are supposed to be applying the privacy policies? What about the engineers and technicians? This just seems like a "witch hunt" and political posturing.
Her statements make it sound like the CEO is trying to "cheat their customers" by having a security breach? There's nothing in it for the CEO if there is a security breach. If a CEO is stealing from someone, then ya, book them.
This seems like a way to get some vote and wanting to stick it "to the man". I'm sure it will feel good, but it's not going to change security breaches in large corporations.
I don't really know, but maybe the idea is to motivate the execs to stop cock-blocking IT dept's security budget.
Do you know what "executive" means? Do you know why they make hundreds of times more money than the average developer? It's because they're supposed to be responsible. Of course you should hold the executive responsible for these breaches. They were the ones in charge.
You are welcome on my lawn.
Exactly, the rich one who has the power to tell the not rich one "forget about security, just get it done." Next time, maybe think about the topic for 10 literal seconds before posting.
Naw, what this proposal would accomplish (if it actually passed and wasn't just a campaign talking point) is to increase the level of executive pay for anyone who might be caught and prosecuted under the law. Less people on the margin who want the job becomes less competition for the job becomes higher compensation for the job to attract the best candidates, the ones with other options. Basic economics, which Warren hasn't ever demonstrated she understands, of course.
Now let's see the laws about holding the government bureaucrats and politicians responsible for all their own many personal data breaches. Still waiting for that to happen...
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
In this area she is "incompetent" here expertise is in law and finance, she knows nothing about technology. She is right about executives and making them culpable and there are all kinds of areas to do that but without evidence of negligence this isn't one of them.
It is impossible to completely prevent a data breach and coming as close to it as you can would make it impossible for a company to actually operate. Including, perhaps especially, the rest of the technology pieces. Many companies are dangerously close to the breaking point as it is.
There is only one solution to the problem, back off your technology massively and rebuild your structure from the ground up with an eye on optimizing the places it makes the most sense with technology. Stay away from technologies that make tech resources cheaper, your tech resources will be the ones who want them because they make their jobs easier. Just hire more tech people instead, they won't all need to be top dollar top end resources. Just hire a couple of those guys and lots of high school grads to train on the job. Minimize code, intelligent, dynamic, programmable, anywhere and everywhere you can and absolutely minimize in house code. Where you do need it make it open source.
Every piece of tech in your organization adds linearly to the overall attack surface of your organization. Every layer of house developed code (or configuration flexible enough it might as well be a script or code) easily adds an order of magnitude. There are some things you can do to protect that attack surface but remember they add at minimum linear attack surface of their own and the more dynamic and flexible they are the more they add. Intelligent systems are even worse because they don't follow the predictable and secure patterns your work force follow. For the most part solutions to "protect" you are snake oil.
And whatever you do, for the love of all that is holy stay the fuck off the cloud, devops, and if you can't avoid hiring any devs at all don't even let them use any library less than 7yrs old or anything the actual admins say is a bad plan and don't deploy their code until it has been tested in dev and staging for at least 6 months and then phase in per admin and security requirements.
She LIED about her heritage to take advantage of affirmative action laws. Should be disqualifying for being president or Senator right there. It disqualifies her from every making any moral argument against me or what I do.
You are saying lying should disqualify someone for being president or senator? Really? Is that what you are saying?
If so, you'd best address the gigantic orange elephant in the room.
You are saying lying should disqualify someone for being president or senator? Really? Is that what you are saying?
If so, you'd best address the gigantic orange elephant in the room.
This is the nature of the right these days. They are the party of morals, for other people... Trump is going to be at false or misleading claim 10000 fairly soon here, and they don't bat an eye, they just make up some story about how heaven works in mysterious ways and he is the chosen one to fulfill those ways.
Ain't it convenient when you can just:
1. Start with a goal.
2. Support any actions taken to reach that goal as some convoluted will of god thing.
Really, if you have to apply, but its okay because, it probably isn't okay...
it applies across the board, and includes lots more provisions to punish corrupt CEOs like the folks who crashed our economy in 2008.
The reason she's focused on tech firms is that the media narrative is that the tech firms and the Democrats are in cahoots, so that anything she proposes to regulate to general businesses would be framed in that narrative ("why are you going after such and such and leaving Silicon Valley alone Ms Warren, hmmmm?"). This is a smart political move to defang one of the chief distracting narratives that would normally be used against her. It hurts the bill a little bit with techy nerds, but we're a tiny, tiny minority, and a lot of us (like me) see what she's doing there.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
If you read the proposed law (https://www.warren.senate.gov/imo/media/doc/2019.4.2%20Corporate%20Executive%20Accountability%20Act%20Text.pdf) it "establish criminal liability for negligent executive officers of major corporations" who "has the responsibility and authority to take necessary measures to prevent or remedy violations."
So, if a corp has been found to be negligent in its handling of data, they aren't just fined, but the executives responsible can be sent to prison. She isn't an IT security expert. Neither are those executives. Still, there are industry standards. We would hold executives who manage our water supply responsible if it were sub-standard and they failed to correct the situation.
One of the best peices of advice I ever got was that if you want to fix a problem, you make it the problem of the person who can fix it.
Right now, there really is no actual punishment. People go tsk, tsk, a janitor gets fired, and it's onto where the stockholder's meeting is going to be held discussions.
If the guy at the top is looking at some serious punishment, he or she will make certain that data security is taken seriously.
Most all of these breaches have been over seriously simple stuff that never should have happened.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
It's better to hold the executive responsible rather than the managers or developers who chose poor security practices because s/he's the rich one!
Has nothing to do with money. Has everything to do with who holds the power. Managers? not much. Developers, none. CEO? they want to protect those millions they make.
We've become so weird in this country. The part that is related to money is that with a big paycheck should come big responsibility. Yet we go in the opposite direction, making that big paycheck owner absolved and immune from all guilt.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Just as the Republicans did to Obama, so what's your point?
That tactic is now being used against them and all of a sudden it's a problem? They fucking invented it.
https://www.politico.com/story/2010/10/the-gops-no-compromise-pledge-044311
https://www.politico.com/magazine/story/2016/12/republican-party-obstructionism-victory-trump-214498
http://apps.frontline.org/divided-states-of-america-the-frontline-interviews/moments/the-opposition-strategy.html
Ass, meet bite.
Just wait till roles reverse again (they always do) and the D's use the Nuclear Option for confirmations. The R's will have a shit fit then as they didn't learn the consequences when the D's did the same thing, which of course, came back to bite the D's in the ass.
Politicians never fucking learn. When you use dirty tactics, expect them to be repaid in kind. Karma baby!
Donald Trump, on a crusade to make Nixon look respectable
Whataboutism ? That's your only reply? Warren didn't just lie, she falsely claimed to have Indian heritage when she did not. That's a HUGE crime by leftist standards. And yet she's in your tribe, and these things aren't wrong when you do them.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
This is completely absurd on its face. It doesn't take a billion dollars of revenue a year to do this.
So, not familiar with the concept of "revenue" then? 'Cause revenue is not operating budget.
The line is drawn here such that these regulations would only affect very large companies. Because it's those very large companies that are not being reined in by plain-ol' negligence lawsuits.
What is the relationship between effect of lawsuits on company and sending people to jail for CIVIL liability?
The lawsuits are ineffective at getting very large corporations to care.
Let me put it this way: In a lawsuit, you can recover the value of what you lost. Someone destroys your car, you can sue and get the value of your car.
I was affected by the Equifax hack. Legally, the value lost to me in that hack is $0.
I am not a party to any transactions where that data has value (Equifax and it's customers), so I'm not out any money. "Someone may commit credit card fraud in the future" is not a basis for winning a lawsuit. If someone actually did commit credit card fraud, I would have to prove the data came from the Equifax hack and not, say, the Blue Cross hack where my data was also stolen. And that's not possible due to all the middlemen involved in getting that data to the people who actually commit fraud.
At best, I could demand Equifax pay for credit monitoring for some very limited period of time. And since Equifax already provides that service, they are out a very trivial amount of money - it costs them almost nothing to turn on the monitoring software they already have.
Which means civil liability provides exactly zero disincentive to Equifax's executives.
Negligence is whatever you can convince a judge and or jury negligence is.
Nope, it has an actual legal definition.
You're a big company you get hacked you get fined and sued no matter what the facts of the situation is.
And as I demonstrated above, the cost of those fines and lawsuits is negligible, and thus provides no disincentive for being negligent.
Heck, golden parachutes mean there's virtually no incentive for executives to avoid negligence even if fines were astronomical. They'd still make a ton of money before the shit hit the fan, and the shit hitting the fan is zero impediment for getting a new job (Hi Bob Nardeli!)
As a victim of identity theft, I can personally attest that the credit agencies don't just view this as "not their problem", but actively see it as the victim's problem. When my identity was stolen, a credit card was opened in my name and only a stroke of luck made the card go to me. (The card was mailed out before the identity thief's address change was processed.) When I called the company (*cough*Capital One*cough*) about it, they not only told me they couldn't give me information ("because if you go and shoot these people, we're liable" - but you're not liable for opening accounts under my name?!!). They insisted that my wife likely opened the account - when my wife was right next to me freaking out over this. Finally, they refused to let the police speak with them. They told the police that they needed to call a special line. That line went right to voicemail and it was never answered. I've heard of other times where credit agencies like Experian harassed identity theft victims, telling them that the fraudulent accounts would remain on their credit report unless the victims produced massive amounts of proof.
Basically, these companies treat identity theft and data leaks as minor annoyances. Close the account if someone complains, write off the tiny losses, push the burden of proof onto the victims, and then go back to raking in tons of money. If any actual laws are going to be put in place to protect consumers, fight those laws tooth and nail. They never suffer any actual consequences - just look at Experian's data breach. Millions of people's personal information leaked and what penalties has Experian suffered? They settled a $22 million class action lawsuit, but they earned $5.2 billion last year. I don't think 0.4% of their income really hurts them much. If I was fined $300, it might sting slightly, but it wouldn't really hurt. Especially not if what I was fined for made me that much in 1.5 days.
There need to be actual consequences or things aren't going to get better.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.