Hacker News new | past | comments | ask | show | jobs | submit login

> Then companies start covering up data breaches because disclosing them would cost millions in fines, resulting in people not even knowing when they've been compromised.

Couldn't you make this same argument about any law that punishes bad behavior? As an extreme example, if we make murder illegal, that incentivizes covering up the act, at the expense of closure for victims' families. It seems flawed to me.




It's a lot harder to cover up a murder than a data breach. People notice when a someone turns up dead or mysteriously disappears. If some criminals break into your servers, who has any way to know other than you and the criminals?

There is also the issue of intent. Murder is illegal when you intend to do it. Nobody intends to have a data breach. In that case sunlight is more important than punishment because it's in everyone's interest to prevent it happening again, which requires understanding how it happened, which requires cooperation. Putting otherwise-aligned people on opposite sides creates unnecessary conflict at odds with the common goal.


I'm not sure you could cover up a data breach that easily. Those data dumps are going to be sold on the black market eventually, and I speculate that in many cases government agencies will be able to identify unannounced breaches.

Slap a 10x (or even 100x) fine on companies whose data breaches are discovered independently and covering stuff up won't look like such a good idea anymore.


> Those data dumps are going to be sold on the black market eventually, and I speculate that in many cases government agencies will be able to identify unannounced breaches.

Sure, but how do you prove it was covered up rather than merely discovered externally before it was discovered internally?


Covering up a data breech sounds like criminal behavior in the example above. Which you know, lands people in jail? I seriously doubt many employees will risk jail time so their company is spared a fine.

If it is mandatory to disclose data breeches and equally mandatory to cooperate with full transparency to fix the issue, then we are assuming that employees would act criminally with being accountable themself because it would be best for the company?


  Covering up a data breech sounds like criminal
  behavior in the example above. Which you know,
  lands people in jail?
Only if the cover-up isn't successful.


I would like to meet those employees who are that loyal that they will risk jailtime for their company. Sure, some people will risk persecution to work in outlawed political groups, but that is some real dedication in the example. Especially as they have nothing to gain whatsoever.


> Especially as they have nothing to gain whatsoever.

Other than their stock options, their relationships with other employees and potentially their job and career. True, whistleblowers have little to gain, but they have much to lose.


They have their freedom to loose and nothing to gain by not sending in an anonymous tips.

You have groups of multiple peoples there, where only one has to talk for everyone to go to jail. This is how organized crime has been prosecuted for years. The only one of the guilty who gets out is the snitch.


> They have their freedom to loose and nothing to gain by not sending in an anonymous tips.

Sending an anonymous tip that could result in their company losing a lot of money if not going out of business has a highly undesired effect on their continued employment, future raises, stock options, etc.

> You have groups of multiple peoples there, where only one has to talk for everyone to go to jail. This is how organized crime has been prosecuted for years. The only one of the guilty who gets out is the snitch.

Prosecuting organized crime works by busting the little fish and cutting a deal to go after the big fish. There is no starting point for that process when you're dealing with an otherwise non-criminal organization. If you're not already aware of their offense you have no reason to be investigating them to begin with and nobody there has the incentive to tell you when they don't expect you to have any other way to find out.

"The only one of the guilty who gets out is the snitch" is also obviously incompatible with remaining anonymous. Anyone would be able to deduce what happened.

You get whistleblowers when someone is outraged at what the company is doing sufficiently to take the risk to try and stop them. Not when the government is threatening severe penalties for a past mistake that has already been remediated.

The NTSB method produces better outcomes than the War On Drugs method.


>It's a lot harder to cover up a murder than a data breach.

Is it? You can murder someone by yourself and be the only person who knows what happened. You as the murdered are strongly incentivized to never tell anyone if you want to remain free.

In a corporate IT department a bunch of people will have to know just to make a decision as to whether or not to publicly disclose it. An anonymous tip could have zero consequences for the individual even while they remain in their current job. What is the turnover among IT staff? Once they have another job they have virtually zero motivation to keep their former employers dirty secrets.


You could totally make the same argument. And so you go with whichever rules lead to the best societal outcomes. It may be different per crime.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: