Why It’s So Hard to Punish Companies for Data Breaches

 administrator    17 Oct 2018 : 04:30
 None    Security


It’s difficult to determine how and where companies like Facebook went wrong, which makes regulation challenging.

What happens to the companies that allow our personal data to be stolen? In most cases, nothing. Sometimes there is a short-lived flurry of bad publicity, a brief dip in stock prices, a class-action lawsuit or a Federal Trade Commission investigation that leads to a token settlement or fine. Facebook is unlikely to face any serious, long-term consequences as a result of a security breach it announced last month, which exposed the account data of 50 million users.

At first glance, the lack of consequences that companies face for data breaches might seem to be a clear problem and something that can be easily remedied through heavy regulation like the European Union’s General Data Protection Regulation. However, the problem turns out to be more complicated than that. Two challenges, in particular, have hindered effective legal and regulatory responses to breaches: determining whether a company was negligent in its security practices, and figuring out how to calculate the monetary value of stolen personal information and the harms inflicted on the people whose data was breached.

The fact that your personal information was stolen from a company does not necessarily mean that the company did a poor job of securing your data and therefore deserves to be punished. The Facebook breach, for example, was made possible by three software vulnerabilities tied to user tools for privacy and for uploading birthday videos. These vulnerabilities might seem like problems that Facebook should have caught early on, but the truth is that every company has bugs like these in its software...more via The New York Times