Should Allowing A Massive Data Breach Be A Criminal Offense?

from the might-be-a-bit-extreme dept

Following some massive data leaks in the UK, some politicians there are considering a plan to make it a criminal offense to "recklessly or repeatedly mishandle personal information." Contrast this to the US, where courts have noted that there can be no finding of negligence if the data leak is never found to have been used by identity thieves (even if exposing the data was done through negligence or recklessness). Of course, this is a fine balancing act. Certainly, one of the biggest problems leading to these data leaks is that the companies that leak data generally just get wrist slaps as punishment -- meaning that it's more cost effective to be weak in security than to properly protect it. Adding the potential of criminal charges could increase the cost enough that people take security of private info a lot more seriously. On the flipside, however, it could also cause other problems. No matter what, some ingenious criminal somewhere will figure out how to get access to a dataset or some unimaginable combination of events will occur to lead to lost data -- and it seems unfair to throw someone in jail for that. If anything, it may scare off some very smart folks from taking jobs securing that kind of data, as the personal liability might become too high. In the end, making the punishment for companies screwing up makes sense, but potentially putting individuals in jail without it being clear and egregious acts of negligence seems like a bad idea.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    ehrichweiss, 3 Jan 2008 @ 12:15pm

    Re: Not a good idea...

    You think this is bad because...??

    Any company handling private information is already going to have the cashflow to afford to hire a security tech and purchase a few licenses for some encryption software. If they don't, they don't need to be in the business.

    Health-related companies are already bound by HIPAA and that can be something as small as a single doctor, one-person billing agency, etc. but they all have to comply fully with HIPAA or face the same issues you describe.

    The thing is, if they hire an incompetent security tech, they can pass off the blame onto the tech and then the tech has to deal with all the criminal/civil charges. If they simply neglected to hire a tech then they deserve the harshest punishment allowed(Balls, meet Mr. Vise).

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.