Comment by awesan
6 hours ago
If a business legitimately needs such information to operate, isn't it borderline impossible to 100% prevent it from leaking? If the data is there, it can be compromised either by technical means or non-technical means.
The primary issues in my opinion are (1) businesses collecting and holding on to information they don't need and (2) businesses getting so large that they become prime targets by default.
In a world where pointless data collection was disincentivized and there were many small businesses instead of a few large ones, this problem would be much more localized and addressable. But of course this is a dream within a dream.
I'd also add a third issue to this list: data retention. Too many companies I've dealt with have privacy policies that state something to the tune of "we'll hold onto your data for as long as required" without giving much of an explanation as to how long "as required" is.
Which usually means until the financial incentives to remove the data outweigh the incentives to keep the data. Data is more valuable than database storage costs, thus there is no incentive to remove the data. Policies should therefore be in place to punish unnecesary data retention.
There is a vast difference between it not being 100% impossible and data holders not doing the absolute basics to keep it safe.
I could imagine if, after a data breach, there was a government-run cyber investigative task force that would come into an organization, and be tasked with investigating and fully understanding the nature of the breach. We already have forensic detectives for other crimes, why not this one?
And if it turns out that the failure occurred due to the company acting negligently, a la (whoopsie all the records were in an open S3 bucket) then humans would be found personally liable.
--
But in principle, i also agree with the other causes you list. These are very much what GDPR was aimed at improving. It really is a shame when you look at what GDPR could have accomplished if not for malicious compliance by American tech giants, and shitty enforcement (instigated by American tech giants)
It doesn't even need to be government-run, we just need the right incentives. I've seen proposals for making some kind of data loss insurance mandatory to compensate victims. The insurance companies would then conduct audits which determine the premiums for the company, and investigate for negligence after a breach.
Edit: Thinking more about it, this would probably also be positive for security investigators. If a company is stonewalling you and ignoring a legitimate bug report, you now have the option to escalate this to the insurer. Maybe they could even facilitate bug bounty programs for smaller companies
I've had a similar thought in the past. I was thinking about the feasibility of a law being introduced where each company making over a certain amount of money per year must begin a VDP (and optionally a BBP) so that security flaws can be reported to them easily. This can easily be done by simply opening up security@companydomain and using security.txt (https://securitytxt.org). Reports must receive a response in N days, where N is calculated based on available staff, resource allocation, and revenue of the company. If they don't receive a response after N days, this can be escalated to some government agency which can take action against the company for failing to respond to a report on time.
1 reply →
Small businesses are equally vulnerable, and it's possibly to perform cyber attacks at scale - Gen AI makes this easier