I am all for tougher privacy laws, especially for companies that have not followed basic security practices for securing data. There is a proposal from US Senator Ron Wyden that would increase penalties and give more rights to consumers. Consumers could opt out of data sharing and executives could be fined or jailed. The penalties are stiff, and I think it’s not likely to pass, and more practically, many of the penalties might not actually get enforced.
In the US we don’t have much in the way of rights over our own data as humans. Companies, for the most part, have complete control over the data they collect about us and can re-use, sell, share, etc. that data in any way they wish. There are some laws concerning notifications of data loss, and some penalties in California’s recent law, but for most of the country, consumers are at the mercy of organizations. I’d like that to change, and I don’t think doing so would hurt most businesses. Aggregators and data only companies might struggle, but I’d like to see less of those companies in business.
Stronger penalties might stimulate change and better practices, but only if we fine or jail those that limit security efforts. Most technical people try to implement security but are often prevented or limited from making many changes when there is pressure to keep moving forward. Certainly some technical people don’t take security seriously, but I’d like to see employees absolved of responsibility if they show that they have asked for time or resources for security, but those aren’t granted. I’d also like to see some way for management at all levels to prove they have actually requested and funded security efforts, not just remain ignorant of the lack of security. Too many layers of management muddy the waters and often prevent those that are responsible for pushing other work over security from being held accountable. We need more accountability at all levels for poor security.
Likely there is a limited amount of structure that government can provide. Developers and infrastructure groups need to build and configure secure systems. Some funding needs to be available for security work, along with the time to do better. Management needs to make security a priority It’s a group effort and while I hope we can get there, I’m not terribly confident things will improve soon.