Elizabeth Warren proposes holding execs criminally liable for scams and data breaches

Originally published at: https://boingboing.net/2019/04/03/the-buck-stops-here.html

…

Wait… what now?

Personal liability is a fine idea but it is apparently hard to implement in practice. Sarbanes-Oxley (SOX) for example has personal liability for false financial statements and other misdeeds. But corporations can indemnify their officers for fines that might result from their actions. There have also been very few criminal prosecutions of executives under SOX.

Based on all the extra bullshit I have to go through after SOX this means all IT workers will bear the brunt of this proposal

Some companies are so corrupt, they warrant a thorough scrubbing with a RICO brush.

I’m sure that this will make people not want to do the technical work with the idea of being criminally liable because criminals attack them.

They can pass the Grey Poupon in prison.

It’s never RICO.

Or more emphatically:

If we write RICO three times I think Ken White appears.

I’ve been saying this for a while:

Fines are just a (tax deductible!) business expense.

Until C-suite execs end up in prison, the fuckery will continue.

Similar thoughts here. By the time it passes, if it does, it will build in all kinds of “controls” for the execs to wriggle out of. And that’s how SOX is handled on the ground, a massive matrix of controls that are the responsibility of IT and other managers, and outside consultants who “certify” that the organization is compliant.

At least what Sen. Warren’s after will add a set of eyes to the process and execs may have to listen more carefully to their network admins.

There is also GDPR data privacy compliance and a similar legislation now on the table in California, so companies are already headed in the direction of some kind of compliance. However, I haven’t found any of the big consultant/compliance companies stepping up in the US to take over a company’s GDPR process. It would be ideal for execs to pass that buck as they do for Sox compliance. In my (not really an exec) case for GDPR compliance… as I say this, I’m sure others here will correct me & describe it more accurately… we have to identify every single vendor by whether/how they pass through, transmit, process or store data (“if it touches the EU” but best to assume it will). This may be end user data but may also be employee data. If some of those boxes are ticked, they either need to have a Data Protection A(greement/mendment) automated to apply to all of their partners or someone on either side has to go after one that is signed by both parties. It can be rather murky and needs to involve a lot of employees who know what that product does and where it sits. Example, if third party software sits within your company’s internal VPN/servers, the software vendor technically has zero access to that data… you yourself still need to be GDPR compliant but don’t have to beg for the paperwork. But a LOT of vendors and products at the customer’s option can sit in the seller’s cloud or the buyer’s cloud. Beyond that I wonder if there will be cases where the DPA is on file on both sides and if/when there’s still a data breach, there will be something missed (or deliberate) in the DPA fine print and a lot of finger pointing as to who’s liable. EU sure as hell does not mess around with wimpy fines and wrist slaps.

And here’s a weird one… increasingly, contracts and agreements will cite a URL where terms may change at a future date. I’m definitely encountering this with GDPR stock “agreements.” Only one vendor is bold enough to instead refer to it as “TERMS.” Terms is more accurate… because it’s telling you up front that it’s one sided if you want to do any business with them. I think doing this URL referral within contracts to be signed by both parties is a deplorable practice. It turns an “inked deal” into a moving target that is then no longer really consented to by both sides. I’ve had to fight bullshit fees that were added that way. The only way to protect my company has been to grab the snapshot of all contract-referenced URLs at the time of execution and send them to legal.

(TLDR: They Don’t Pay Me Enough)

The other part of the trap is that, if the CEO can’t possibly be expected to know what every part of the company is doing (even though there are often detailed email chains showing that they didn’t just know about it, they ordered it), then surely they shouldn’t be paid 300x what the workers who secure their IT infrastructure earn.

That’s why you need mandatory minimum sentences. I kid.

So what will this fix? I have been a victim of at least four major data breaches. Most Americans are in a similar boat.

Will this bill take my information off the black market? Will all the data that has been set free come wandering back into its safe enclosures? Will this bill make it easier for me to undo the damage those breaches have caused? If it doesn’t, then it is nothing more than another politician faffing for the base.

I also strongly doubt punishment will do anything productive. It will simply motivate people to hide the breaches longer, and cause more damage.

The right and only approach is to take all of the value out of the data. Opening new lines of credit should NOT be easy. Any company requesting my credit history HAS to be accredited and prove it. etc.

Fuck yes.

Exactly this. At this point, if any company is relying on any biographical information to do identity confirmation (ie., they believe that you’re you because you have a SSN # or a credit card number in your name) then they are idiots, and they should be held completely liable when anyone claims that their identity was stolen.

We really need some kind of a two-factor identity management authority. I mean, it’s kind of silly that my company requires me to have a two-factor log in to my desktop, but a loan company will give anyone with my social security number and name (both unfortunately very public) thousands of dollars and then expect me to pay it back…

I love this woman.

This is exactly what should be done. I am fucking sick of the criminal negligence baked into American business, and somehow these assholes get to expose my Financial identity and otherwise and they never ever get punished for it.

Republicans are always screaming at the top of their lungs we don’t need more laws we just need the ones we have enforced.

I say we need the law enforced against corporations even more vigorously then against single people. All of these data breaches need to stop, at the cost of liability of not only the CEOs, but the COOs, and the entire board of any company that allows this bullshit.

I want suits thrown in jail immediately when shit like this happens without tax-deductible fines. Enforce the laws, with hundreds of fangs, and start throwing these assholes in jail like everyone else. Negligent is not an excuse.

It’s a whole lot easier to just walk up behind someone, poke a gun in his ribs, and say “give med all your money”.

At the very least, there should be a dollar amount associated with personal data (say, $10,000-$50000). And exposing the data will be the equivalent of losing that money. And if they internally discover a leak, and don’t disclose it, the damages treble. Right now, all they have to do is say OOPS, and then only after they’re caught by a third party. They’d be much much less cavalier if penalties like this are involved.