I resonate with the sentiment but I expect taking away the golden parachutes of affected C level execs will go further to improving accountability than any amount of prison time will.
But who would ever take a C-level position then? Since they're the face of the company they're fired ceremoniously as a PR move whenever the something bad happens.
In my experience a lot of people would take the job believing that they wouldn't allow something like that to happen on their watch. That said, you do have a point about the added pressure. Much like the '3 strikes' rule in California, the unintended consequence might be even more egregious and illegal behavior in order to avoid losing their contractual exit commitments.
Or maybe they'll report in a more timely manner. They knew for the entire month of August a breach had occurred and they didn't report it.
It shouldn't take more than a couple days. That's enough time to verify you had a problem and get a good picture of the extent. You might not have all the details nailed down, but you put out the information you know and say "We'll provide more details as they become available."
It seems unlikely that anyone would've cared. The big problem is that they lost everyone's SSNs. The timing around the reporting isn't really why their company is under the guillotine.
Whoever dismantles their company could try to frame it that way, but the rest of the industry will see through that. It won't be a good situation for us to be in.
I wish more folks would use this as an example for why it might be time for us as a society to move on from having identity security hinge on a 9-digit number and a few other pieces of "flimsy" information.
They can advise all they like. When a law gets passed that says private companies cannot refuse or degrade service to any consumer that refuses to disclose certain categories of information that are not directly relevant to the operation of the business with respect to that specific consumer, then I will believe that the government is serious about this.
Right now, a baker can refuse to sell you a cupcake if you won't tell them your SSN. Your electric company can refuse to sell you power if you don't tell them your SSN. The phone company can refuse to give you dial tone. They can even refuse to serve you if your SSN has too many fives in it, or not enough. The character of the SSN currently assigned to you is simply not a protected class for anti-discrimination purposes, even though the difficulty in changing it is somewhere between one's race and one's religion.
So if I as a business wanted to discriminate against a protected class, I could ask for the person’s SSN and refuse service when they don’t provide it?
I agree, though it's not clear to me what we should use for identity security. Any piece of information related to a person is going to get out eventually.
If they had a requirement to report each breach promptly, we'd have known far sooner there was a problem there, and the pressure to improve security would have been higher. They have been leaking for years.
I'd argue factors that push such details out would overrule that worry. When there are three companies with the sort of power that credit ratings hold over people society is already suffering.
The people need to reign in the corporate interests of the world. Companies are already larger and more powerful than governments. People should be freaking out. This event just underscores that need.
Individuals will always utilize the power granted to them in whatever way is most convenient to them.
This is why it's important we not allow laws to be passed with the assumption that overly broad permission grants are OK, because they'll only be used 'correctly'.
White collar crime is difficult to prosecute. If you give people the choice between the certainty of losing millions of dollars and the somewhat remote possibility of prison, they may not make the right choice.
