This sort of stuff will continue happening until the regulatory framework acknowledges a fundamental consumer right to privacy.
If a data broker collects data without the consent of the consumer, then their only real risk is a class action lawsuit which drags on for six years, gets settled for a few days profit, and the consumer gets $13.50 after the legal fees. This massive skew in the risk reward calculus of data brokers is why we have the problem. Because there's little to no real downside, the trend is automatically collect as much data on as many people as possible.
Fixing this means big, mandatory, cash penalties in the law code - say $5k per consumer data leak, directly to the affected consumer, with added penalties if the company lies about the leak or delays payment. The fine must be big, mandatory, and paid directly to the consumer. Only that changes the risk reward ratio.
In that new world, companies would have to re assess their risks. They'd either build invulnerable systems and hire a lot more people reading HN to protect their golden goose, or better still they'd decide to exit the business entirely. That sounds bad, but the only reason the industry exists is because regulators failed to foresee massive leaks like this happening every three months.
We need a consumer data privacy law, with massive fines, to force companies to change their behavior. What we're doing now clearly does not work.
They should tax companies so that operating data centers become more expensive. Increase price of electricity or property tax. That will inherently force companies to collect and store less data, hence less damage from breaches.
If a data broker collects data without the consent of the consumer, then their only real risk is a class action lawsuit which drags on for six years, gets settled for a few days profit, and the consumer gets $13.50 after the legal fees. This massive skew in the risk reward calculus of data brokers is why we have the problem. Because there's little to no real downside, the trend is automatically collect as much data on as many people as possible.
Fixing this means big, mandatory, cash penalties in the law code - say $5k per consumer data leak, directly to the affected consumer, with added penalties if the company lies about the leak or delays payment. The fine must be big, mandatory, and paid directly to the consumer. Only that changes the risk reward ratio.
In that new world, companies would have to re assess their risks. They'd either build invulnerable systems and hire a lot more people reading HN to protect their golden goose, or better still they'd decide to exit the business entirely. That sounds bad, but the only reason the industry exists is because regulators failed to foresee massive leaks like this happening every three months.
We need a consumer data privacy law, with massive fines, to force companies to change their behavior. What we're doing now clearly does not work.