Should It Be Illegal To Get Hacked?

from the might-be-a-bit-extreme dept

A few years back, we asked if it should be illegal to get hacked. In that case, we were referring to some fines that the FTC had handed out to companies that had leaked data to hackers. This raised some troubling questions -- as it's often difficult-to-impossible to stop your computer systems from getting hacked, and putting liability on the company could lead to some serious unintended consequences. Yet, at the same time, over the past few years, we've heard about large security breaches on a regular basis (thanks, in large part, to new disclosure laws) -- and often those breaches definitely seem to be due to negligence on the part of a corporate IT team that failed to lock down the data in any significant manner. That seems to be leading more people down the path of saying that companies should be liable for getting hacked.

For example, Slashdot points us to a blog post at InfoWorld, where it's suggested that companies should be criminally liable for leaking such data. I can certainly understand the sentiment, but it may go too far. Again, it's impossible to totally protect a system from getting hacked. Sooner or later there's always going to be some sort of leak. Increasing penalties could make companies take things more seriously -- especially in cases of gross negligence (which do seem all too common). But making the rules too strict can have serious negative unintended consequences as well, even to the point that some companies may stop accepting credit cards altogether, since the liability would just be too great. Would people be willing to give up the convenience of credit cards to protect their safety? From what we've seen, for most users the answer would be no. They know their credit cards are at risk, but they still use them because the benefit of the convenience still seems to outweigh the danger of the risk.

Filed Under: data leaks, hacked, legal, liabilitiy

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Paranoid With Reason, 26 Aug 2008 @ 2:34pm

    it's not just one part

    It's not just the IT department's networks. It's not just the home-grown apps' poor coding. We must also deal with the incredibly poor coding, from the ground up, of the most commonly installed OS on desktop computers.

    Securing the servers and the network won't save you from Joe Clueless when the poor sap brought in his laptop from home because it didn't have the corporate-installed browser filter, figured out how to get it onto the corporate network despite IT's efforts, browsed to a page with a malicious bit of code (maliciously malformed JPG or SWF banner ad anyone?) and wound up with a bot computer that in turn infected all the other desktops within the corporate firewall via some unreported weakness in their OS.

    It's a far too probable scenario, really, and nothing the corporate IT department does can save them from it happening. That's why any legislation would have to be written very carefully or we'd run the risk of victimizing the victims.

    Not that the (often budget-stingy) corporations who choose cheap over secure deserve a break...but bad legislation is worse than none and typically legislators aren't so good at the finer points of the technology they're so eager to legislate.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.