FTC can finally sue Businesses that fail at basic best practices for Cyber security.
-
@scottalanmiller I completely hope that that FTC does and will do the correct thing with this new precedent. But I suspect that what will come from this will be more of the chase every company large and small for any penny that the govt can get.
Now, this isn't a bad this in its self, immediately as many companies will get the hint that they need to improve their security policies and practices.
But what will likely come from it is more businesses will simply try to become more deceptive about their practices because "well its to much (money, work, difficult) to (implement / keep current) with current standards.
-
@DustinB3403 said:
@scottalanmiller I completely hope that that FTC does and will do the correct thing with this new precedent. But I suspect that what will come from this will be more of the chase every company large and small for any penny that the govt can get.
But why do you suspect that? Is there a precedence for the government doing something like this? I can't think of one.
-
@DustinB3403 said:
But what will likely come from it is more businesses will simply try to become more deceptive about their practices because "well its to much (money, work, difficult) to (implement / keep current) with current standards.
Why would they get deceptive? I'm not sure what you mean. How would be more deceptive help them?
-
The precedent isn't for this exact case, but as a general practice, "We've done it before, lets go again for another round"
It's how people, not just govt function.
Do something again and again because it's the most simple and rewarding process to do. What happens to the collected monies from the sued companies, does it go towards the damaged parties, or does the govt keep it?
I'd hope it goes to the damaged parties, likely some or most of it does. But some of it definitely goes to the agents supporting those damaged parties. In one way or another. Which would lead to corruption.
-
@DustinB3403 said:
The precedent isn't for this exact case, but as a general practice, "We've done it before, lets go again for another round"
It's how people, not just govt function.
But you are talking about suing wrongdoers. How many cases of wrongdoing do you want the FTC to overlook?
-
I wouldn't say its a number of wrongdoing that the FTC should over look at all.
Nor should they overlook any if it's practical for them to enforce every possible case.
This new power needs to be applied equally, and judgement (fines) applied appropriately (to the scale of the breach, not to the size (profits) that the company makes. Not just a demand for a blank check so to speak from the defendant.
-
Which I suspect that a "minimum fine" will be developed for all these sorts of cases.
Which I'd imagine would make many businesses pay the fine and close shop.
-
@DustinB3403 said:
This new power needs to be applied equally, and judgement (fines) applied appropriately (to the scale of the breach, not to the size (profits) that the company makes. Not just a demand for a blank check so to speak from the defendant.
Well that's not up to the FTC it would seem. They just prosecute the violators.
-
@DustinB3403 said:
Which I suspect that a "minimum fine" will be developed for all these sorts of cases.
Which I'd imagine would make many businesses pay the fine and close shop.
I would expect a minimum fine to be very unlikely. And the later to be a good thing. Many SMBs playing fast and loose should indeed close up. That's not the kind of business practices we want being rewarded in any way.
-
@scottalanmiller said:
@DustinB3403 said:
Which I suspect that a "minimum fine" will be developed for all these sorts of cases.
Which I'd imagine would make many businesses pay the fine and close shop.
Why would a minimum fine be unlikely? There are minimum fines for DWI's, using drugs, blantant theft from a person or business.
Its all a matter of reasonable restitution. If 300 people's private information is stolen during a breach. Lets (and just for argument sake) say that the FMV of that stolen data is $5 Million . Credit value, cash, property . What ever it might be.
A minimum restitution to the allowed loss of that FMV has to exist. Otherwise the company that allowed the loss to happen in the first place (and who is at fault) could possibly only pay $100,000 fine. Or almost no fine at all.
Setting a minimum doesn't mean that it will always be used as the value at which stolen information is valued. Where fines are applied from.
It means (at least it should IMO) that if your found guilty of blantant disregard for customer privacy you will pay X dollars and UP as appropriate for the level of the breach.
Quiet honestly I'd want a 1:1 ratio of value:fine but that will likely never happen.
-
@DustinB3403 said:
Why would a minimum fine be unlikely? There are minimum fines for DWI's, using drugs, blantant theft from a person or business.
Those are not Federal crimes. That some states have those does not imply that there is a Federal system for that.
-
@scottalanmiller Those are simple examples.
Lets use the example of trafficking illegal drugs across the border, then from state to state trafficking the drug money.
There is a minimum for those.
-
@DustinB3403 said:
Quiet honestly I'd want a 1:1 ratio of value:fine but that will likely never happen.
I'm not sure that I agree. That's like saying that you'd only want a DWI charged to the level of damage he did rather than the damage he was willing to do. Yes, companies will likely only be sued after a breach has happened. But the degree to which they were exposed (how can we prove that anyway?) is less important to me as a citizen (in fact, not at all important) as to how risky the company was willing to be.
In fact, I don't see that the breech should even be considered. At all, because that uses the assumed quality of the attacker as a guide to penalties for putting people at risk rather than punishing the action of the company not protecting its customers.
-
@DustinB3403 said:
@scottalanmiller Those are simple examples.
Lets use the example of trafficking illegal drugs across the border, then from state to state trafficking the drug money.
There is a minimum for those.
I'm not aware of that but I'll assume that that is correct. Still, isn't that a criminal situation though, this is not. Still rather different. This is a civil trial.
-
@scottalanmiller So a smarter hacker (or team) who breaches even the best implementation of IT security would still be fined, because they didn't go out of their way to further test the security systems that are current best practice. Because that is exactly were this leads too.
Again I am all for the new power, I'm just playing devil's advocate.
-
@DustinB3403 said:
@scottalanmiller So a smarter hacker (or team) who breaches even the best implementation of IT security would still be fined, because they didn't go out of their way to further test the security systems that are current best practice. Because that is exactly were this leads too.
No, I think you've missed the point of the ruling. It is against the company, not the attacker, and it is for not properly securing the data. If well secured and still breached, no reason for legal concern. If insecure and not breached, there could still be cause for concern if it were to be exposed.
I don't understand the fear of "leading to" anything. There is a good law, it seems, and no reason to suspect abuse. Can abuse happen? Yes. But it could happen without good laws. There is no need to be suspect of good things just because bad things are still possible.
-
I think this ruling leans more towards, "You'd better follow best practices with regards to private client information (which isn't it all private), and if you don't and are breached, regardless of the cause you'll be fined for said breach."
-
@DustinB3403 said:
I think this ruling leans more towards, "You'd better follow best practices with regards to private client information (which isn't it all private), and if you don't and are breached, regardless of the cause you'll be fined for said breach."
Which is all good. Because it is qualified with "you'd better follow best practices".