Schneier on Security
A blog covering security and security technology.
« SPARROW II: NSA Exploit of the Day |
| US Privacy and Civil Liberties Oversight Board (PCLOB) Condemns NSA Mass Surveillance »
January 28, 2014
EU Might Raise Fines for Data Breaches
This makes a lot of sense.
Viviane Reding dismissed recent fines for Google as "pocket money" and said the firm would have had to pay $1bn under her plans for privacy failings.
Ms Reding said such punishments were necessary to ensure firms took the use of personal data seriously.
And she questioned how Google was able to take so long to getting round to changing its policy.
Ms Reding, who is also vice-president of the European Commission, wants far tougher laws that would introduce fines of up to 5% of the global annual turnover of a company for data breaches.
If fines are intended to change corporate behavior, they need to be large enough so that avoiding them is a smarter business strategy than simply paying them.
Posted on January 28, 2014 at 6:47 AM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The problem with the EU regulations, I'm familar with both EU95/46 EC and most of the individual states implementation of it, is that they are very much open to interruptation, so rather than company X paying the $billion dollar fine it's far cheaper for them to pay $10m to a smart lawyer who is going to argue that in the eyes of their client they were doing the right thing.
Unless they go the way of the often loathed and ridiculed PCI DSS and actually perscribe the exact conditions that in the eyes of the EU make the data safe then it's not going to make a once of difference.
So, are the fines truly intented to stop data breaches or is the fining just another disguised tax? After all, the fining body has everything to gain from the breaches.
The idea is to create a negative incentive that will lead to more conservative security practices, but I think the fines would need to be a lot larger for firms of this size to start taking notice.
The EU fined Microsoft around $2 billion for operating in open violation of EU competition laws for over a decade. Because nobody goes to jail, Microsoft is able to treat these fines as ay other business expense -- say, marketing -- on the road to market domination.
treat misuse of PII as a Copyright violation: $150,000 per occurrence. that's how much they want to charge us. it's only right to apply the same liability to everyone.
@ mike acker
That's clever. Problem is for many services you license them your info by using the service.
All governments are corrupted to the core today and will do this and all kinds of other dubious acts to legally steal money from companies and individuals to buy votes and pay for their foolish, out of control spending.
Any reasonable company that depends on customer trust will never be primarily motivated by survivable fines. Loss of trust is not survivable and any company that doesn't keep that firmly in mind will go under sooner rather than later. Hopefully, both of those incentives are pushing in the same direction.
When you see a company that depends on customers trust fighting with regulators, the best assumption is that the company is disagreeing with the law on what is best for the customer and what the customers are trusting them to do.
@mike acker & @Nick P...
You may license them to use information a specific way, but the data breach, treated like a copy right violation, makes more sense than it should, since information-- data, IP, etc-- is being delivered to those with no right to it.
Frankly, I suspect a better mechanism for combating such violations is to expose the private details of all executives and board members to the same degree as those who've been exposed by their "business as usual". If we have to expose the top 10 share-holders information, well, that's only fair, isn't it?
Yes, yes, I know, this is almost straight out of "Fail Safe"... perhaps we need to start thinking that way.
Only when those choosing the means of doing business-- those in control of the purse strings curtailing proper staffing, for instance-- get to feel the consequences for their lack of interest in doing what is right will we ever see any changes.
Decisions are seldom made anywhere near the "front lines"; Those in the hindquarters part of the organization restrict "proper" implementation of technology.
Having those that make descisions (business / gvt) live by the same rules. Or, in your case above pay the same price (having their info put out) is a great idea. Just how much better would things be if Politicians had to live by and with the same rules they put on the people.
@ Brett @ Jack
The problem with having institutions "live by the same rules" as individuals is, mainly, that institutional finance works differently from personal finance.
The easiest way to illustrate the difference is by reference to banking institutions.
If you give a bank $100, and they keep it for you, when the bank enters this amount into their accounting ledger, this $100 is listed as a liability -- since you can ask for it back at any time.
Now, with the $100 you gave the bank, they can lend out $80, and expect it paid back with interest to the amount of $90. This $90 -- which the bank just lent out, but doesn't possess yet -- is listed as assets.
So the financial institution lists the money it has as a liability, and the money it doesn't have yet as an asset.
Institutional finance works differently than personal finance.
There are similarly counter-intuitive ways to look at institutional debt (government debt is good and, essentially, doesn't need to be repaid if your economy grows faster than the interest payments), government taxing and spending (taxes are NOT money taken out of the economy -- the government spends all the money it collects IN THE ECONOMY -- as wages, which get spent in the private sector, and on goods and services purchased from the private sector -- taxes are good for sustainable growth), the private sector generally (a large private sector is good for industry because it provides a stable level of aggregate demand -- markets are unpredictable because, if a competition is fair, the outcome is always uncertain, whereas public sector employment has generally been considered more stable), economic regulation (regulation does not distort markets, competition does: the purpose of a competition is to put your competitor out of business, tending towards monopoly; regulation is essential to preserving competition, just like laws (restrictions) are necessary to preserve liberty), and the like.
I guess, in order to impress upon an institution of how important the need for data privacy is, would be to decimate the board of directors as well as the core executives.
And... I'm not talking about sacking. Maybe the Romans were onto something.
The 5% of turnover fine came a lot closer to being adopted that the post leads us to believe as it's in the proposed law that was to replace EU95/46 EC. The proposal is currently on hold but it could still be approved.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.