Yes. I've worked in a very regulated industry before and it ended up being less secure than any other I've worked in. Checking your secure email required so many hoops people would just text each others personal phones instead, etc.

I've actually worked in govt systems. If you think the whole endless threats of jail make for more secure systems you are truly clueless.

These systems are RIDDLED with the WORST outdated crap you can imagine. Absolute insane hoop jumping so plenty of pressure to work around security just to get jobs done (seriously - start with the help desk if you want access - they are so used to password resets the procedures become a joke - literally - what's the username and that's it, because if you have thousands of folks on 30 day password rotations with insane complexity all you do is password resets endlessly). Password sharing can also be crazy so passwords float all over.

The govt has had it's top stuff leaked. Office of personnel management leaked insanely sensitive stuff. They contract with the WORST folks in security. It's really crazy.

Google has never asked me to rotate my password. I have non-SMS two factor authentication options, they do pretty sophisticated rate and geo monitoring so you are not annoyed but pretty secure.

Cyberattacks, mechanical failures, weather disasters, meteor strikes, terrorist bombs, stupid construction workers ALL could affect this pipeline. People on HN have no risk perspective. Make the system resilient to a proactive few day outage. Why does this system have to run 365 / 24 / 7? Have you mitigated EVERY possible issue - including disgruntled employees? No - then instead of over doing one corner, design some give in the system.

I want to add that the physical limits of how the design is done is as much as corruption/stupidity.

By physical limits I mean us, the wet ware in the middle of all this. These systems can be designed years if not decades before they are actually brought online. By simple temporal placement they get the materials and techniques of that time span. By the time these things are ageing out of the system they will have some old tech on them.

> Failure to disclose key documents in the discovery phase of a trial carries hefty fines and jailtime

When you do this, the documents never get created. Not due to nefarious cover-ups. But because if little incentivises the creation of documentation, and everything penalises it in the edge case, you get rubber stamped compliance stacks for decades until a crash.

If one has massive downside for reporting a potential risk, one better be 100% sure that risk is manifest before pulling the trigger. That delay and omission is the cost of such draconianism.

> All internal communications, unless they are with an attorney and are clearly marked "privileged" and pertain to actual legal advice, are discoverable

If a communication doesn't exist, it's not discoverable. If you legislate penalties for a certain type of communication, it shouldn't be surprising when it ceases to exist. This isn't the product of cover ups. It's the long-term effect of penalties dissuading the looking into of certain things. If discovering a breach is penalized, nobody competent will look for breaches--that leaves no discoverable liability.

You're imagining that every company is going to transition some kind of nefarious mob-style wink-wink, nudge-nudge, no-written records speakeasy, or what? That's really taking things far.

This whole line of reasoning is specious, anyway. It's based on a fallacy that enforcing penalties is just going to make everyone lie their asses off to get out scott free. Is society so broken that they can get away with this? Come on.