Comment by znpy
10 days ago
> It's not like there are any real penalties to a breach.
Not in the US maybe. In the EU under GDPR you have to disclose within 48h of you realizing (or made aware of) the breach.
There are fines (at least) if you don't disclose it afaik.
Oracle is gonna have issue with the EU, most likely.
Maybe the EU wasn't on the Signal group chat when Oracle notified The Atlantic of the breach
[flagged]
SEC Fact Sheet: Public Company Cybersecurity Disclosures; Final Rules - https://www.sec.gov/files/33-11216-fact-sheet.pdf
I mean it's true that there's a rule, but at this point in US history I think we have reason to be sceptical that it will be enforced.
The SEC selectively enforcing the rule does not prohibit a shareholder suit against the company. "Everything Everywhere Is Securities Fraud" after all.
1 reply →
Have their been any GDPR fines that amount to more than a rounding error of Oracle's revenue? Admittedly, I don't watch too closely, but from the ones I am aware of, I haven't seen any GDPR fines that made me finally think "wow, that might actually count as a punishment". (I would honestly be happy to learn of some!)
There are disclosure laws in the US as well, but again, the fines are like a days worth of revenue. Maybe the breached company has to provide a year of credit monitoring for the affected persons, if lucky.
Several of the fines have been in the hundreds of millions of dollars - and while not crushing to Oracle, that's actual money that will definitely change behavior.. https://www.enforcementtracker.com/
Many of these are against public bodies... Hundreds of pages with lawyers back and forth for in the end money going from one part of the government to another...
Nice, thanks for the link!
The largest fine ever issued is about 2% of Oracle's 2024 revenue. If we average the top 5 fines ever issued (this breach surely wont result in the largest GDPR fine ever), it'd be about 1% of Oracle's 2024 revenue. So, between ~3.5 and ~7 days worth of revenue, if we're lucky and get a top 5 GDPR fine?
I'm not sure that is in the "definitely change behavior" area yet (in fact, I'm confident it is not), but better than I thought.
5 replies →
If that were true companies wouldn't get fined over and over again year after year.
In the UK, and I presume the EU also, the fines for losing customer data are set as a % of company annual worldwide turnover.
https://ico.org.uk/for-organisations/law-enforcement/guide-t...
> the fines
They're not fines though if no money changes hands.
So far very few if any of these supposed penalties have actually been paid.
There have been a few good articles published about the total Euro amount of "penalties" and actual enforcement actions, and the ratio is something like 100:1 or worse.
According to the GDPR enforcement tracker link helpfully provided by the sibling commenter, we'll be lucky to see a ~1% fine of the 2024 revenue of Oracle. That's assuming that the fine issued is in the top 5 GDPR fines ever issued. Even 4%, the cited higher maximum on your link, is kind of peanuts (not sure this breach would even qualify for the "higher maximum", as I'm unfamiliar with the laws, so it could be a maximum of 2% if counted as a "standard maximum").
To me, that's still in the "cost of doing business" territory, not the "punishment" territory.
3 replies →
If a fine isn't an existential threat what's the point of it? Hoping next time they'll care more? tf?
the EU needs to tack another 0 to these percentages if they want to see movement.
1 reply →
> Have their been any GDPR fines that amount to more than a rounding error of Oracle's revenue?
Not yet, hopefully soon: under some circumstances GDPR fines can go up to 6% of gross earning (ebitda) iirc.
> In the EU under GDPR you have to disclose within 48h
72h actually, but yes, data protection and breaches to sensitive personal information is taken very seriously in the European Union and its legislation.