• SirEDCaLot@lemmy.today
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 months ago

    Oh I’m sure there would be insurance for that, but it would be expensive. It would dramatically reduce the amount of overall investment in the nation. That is a very bad thing, it would slow down the rate of our economy and innovation. Don’t get me wrong, the current setup where companies treat your data like an asset and then lose it and nothing happens is broken. There need to be stiff penalties for it. Corporate death penalty even, especially with an ending of all too big to fail. I’m talking penalties scary to the point that whatever profit could be made from your personal information isn’t worth the risk of having it, companies are scared to collect info. This would especially be true if there is negligence involved, like when companies put their databases on open S3 buckets. Companies should be scared shitless of that. But destroying our system of investment is not the answer.

    • explodicle@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      The cost of that insurance doesn’t just disappear - today it’s paid by ordinary folks left holding the bill. A company that can’t afford to pay for its expected damages is doing more harm than help to the economy.

      This isn’t just an answer to leaked databases. Companies can deliver profits when things go well, and then disappear after they ruin thousands of people’s lives.

      • SirEDCaLot@lemmy.today
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        If a company ruins people’s lives, I’m okay with them disappearing and all their investors losing their shirts.

        I agree that a company that can’t afford to pay for the damage it is causing is doing more harm than help and should go away.

        What I think we can both absolutely agree on, is that the current system where companies forcibly collect all kinds of information on people, don’t take security seriously, get breached, and the only punishment that happens is a few million dollars fine they can just write a check for and everyone affected gets a year of credit monitoring, is a broken system. In many of these breaches, they happen because the data was stored so poorly one could make a serious argument for gross negligence. When a company does this and the punishment is a wrist slap, I have a problem with that. It becomes a cost of doing business, not something company management is actually afraid of.

        Also, as somebody who actually works in IT, I can tell you cyber insurance is a thing. For small businesses it covers this sort of breach. When you sign up for it they send you a whole questionnaire that asks about your security practices. It’s all boilerplate bullshit. Real cybersecurity involves an insane amount of complexity and required understanding at every level, and the insurance questionnaire is like do you use multi-factor authentication for your email y/n?. If you check no you get a higher insurance premium.

        Perhaps a solution would be a mandatory payment of $250 per person made directly to that person if their information is breached. And if the company fails to report it within 60 days, it triples. If the company intentionally conceals it, it quadruples. And should the company go bankrupt and liquidate, these payments to users will be considered the primary creditor and take priority over all others. So no more of this ‘$10 discount on your next purchase and a year of credit monitoring’ class action settlements, put some real fucking teeth in a law. People would get some real compensation. And personal information would no longer be seen as a $20/person asset but rather as a potentially destroy the company liability.