Should It Be Illegal To Get Hacked?

from the might-be-a-bit-extreme dept

A few years back, we asked if it should be illegal to get hacked. In that case, we were referring to some fines that the FTC had handed out to companies that had leaked data to hackers. This raised some troubling questions -- as it's often difficult-to-impossible to stop your computer systems from getting hacked, and putting liability on the company could lead to some serious unintended consequences. Yet, at the same time, over the past few years, we've heard about large security breaches on a regular basis (thanks, in large part, to new disclosure laws) -- and often those breaches definitely seem to be due to negligence on the part of a corporate IT team that failed to lock down the data in any significant manner. That seems to be leading more people down the path of saying that companies should be liable for getting hacked.

For example, Slashdot points us to a blog post at InfoWorld, where it's suggested that companies should be criminally liable for leaking such data. I can certainly understand the sentiment, but it may go too far. Again, it's impossible to totally protect a system from getting hacked. Sooner or later there's always going to be some sort of leak. Increasing penalties could make companies take things more seriously -- especially in cases of gross negligence (which do seem all too common). But making the rules too strict can have serious negative unintended consequences as well, even to the point that some companies may stop accepting credit cards altogether, since the liability would just be too great. Would people be willing to give up the convenience of credit cards to protect their safety? From what we've seen, for most users the answer would be no. They know their credit cards are at risk, but they still use them because the benefit of the convenience still seems to outweigh the danger of the risk.

Filed Under: data leaks, hacked, legal, liabilitiy

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Will, 26 Aug 2008 @ 1:31pm

    some liability needed

    There needs to be some degree of liability, mandatory fines, and mandatory and unlimited compensation for any resulting damages.

    That starts with with regulations on what data can be kept without explicit request of the user and how long it can be kept. None of this "we keep your credit card information on file" crap that you MUST agree to for a purchase. No more keeping data on file months or years beyond a transaction.

    That's followed by a specified set of mandatory minimum security requirements. Encryption of certain personal, financial, etc. data is mandatory; sid data cannot be shared with partners without explicit permission; said data cannot be carried on portable devices unless protected by an additional layer of security; and so on.

    Those requirements are enforced with mandatory fines, X dollars per user per breach per violation. Also any and ALL damages caused by failure to meet these standards are covered by the pary at fault. You lose a database of unencrypted credit card data and $10 Million in fraudulent charges result - you reimburse that loss, not the credit card companies or the customers, mandatory.

    You don't have to make everyone liable for every security vulnerability that they don't patch within minutes or even months to make a dent in fraud. There's no need to legislate best practices either - just minimum standards of care.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.