Bruce Schneier's blog talks about the recent hack of CIA director John O. Brennan's AOL account (among others) and says when it comes to social engineering attacks:
The problem is a system that makes this possible, and companies that don't care because they don't suffer the losses. It's a classic market failure, and government intervention is how we have to fix the problem.
It's only when the costs of insecurity exceed the costs of doing it right that companies will invest properly in our security. Companies need to be responsible for the personal information they store about us. They need to secure it better, and they need to suffer penalties if they improperly release it. This means regulatory security standards.
Schneier goes on to suggest the government should establish minimum standards for results and let the market figure out the best way to do it. He also partly blames consumers because they demand any security solutions be easy to use, ending with:
It doesn't have to be this way. We should demand better and more usable security from the companies we do business with and whose services we use online. But because we don't have any real visibility into those companies' security, we should demand our government start regulating the security of these companies as a matter of public safety.
Related: WikiLeaks Publishes CIA Chief's Personal Info
(Score: 2) by iamjacksusername on Friday October 30 2015, @06:59AM
I personally have been in favor of per-person statutory damages awarded on a strict liability basis. That is, the basis of the award is that a breach occurred, not whether the company is at fault. On a practical basis, it would be a death knell for company. Going forward, companies would stop storing people's personal information . The reason why we have companies able to exploit massive amounts of data is because there is very little capital cost for holding the data. The cost for Facebook to track me is close enough to zero to be almost non-existent.
There is a tremendous social cost though- we are seeing it with mass invasion of privacy, automated tracking of everybody, facial recognition, etc... There is a famous scene in enemy of the state where Will Smith is being tracked in real-time via cameras. This exists now - tow truck drivers all over the country use an automated license plate recognition system tied to a camera in their cars. It automatically checks the license plate on every car for it sees for repo against a central database logging time and location. Police departments can buy access to this database. Facial recognition, I am certain, is not far behind. We are heading full steam ahead into a surveillance society and nobody wants to stop it because these costs are being externalized. By creating statutory fines, we make companies (and people!) incur these costs.
What will happen? A lot of companies will no longer store your data. Companies that still do will look long and hard at what they store. The more egregious, privacy invading data mining businesses will no longer be viable since they rely on a near-zero cost for data acquisition. And that's not a bad thing.