> ...in the US, penalties are assessed based on the seriousness of the infraction, not on the ability of the perpetrator to pay.
When the penalty is less than $5 per person affected, how am I expected to take that seriously? A penalty based on the actual seriousness of the infraction would put the company out of business, and that's what should have happened.
Let's assume a piece of data is used to empty someone's bank accounts via social engineering. Now it's possible to calculate how much that'll cost the banks. Multiply that by the average worth of an Equifax "customer" and you'll arrive at a nice round number which should put them out of business.
Sure they can. Ask Equifax’s lawyers how much it would take for them introduce their SSNs and credit reports into the record. Divide by the number of attorneys and multiply by 145 million people affected.
When the penalty is less than $5 per person affected, how am I expected to take that seriously? A penalty based on the actual seriousness of the infraction would put the company out of business, and that's what should have happened.