>So you'd like to have agencies set up to fine every company that gets hacked through 'known vulnerabilities'?
Not exactly, but I do feel that entities recklessly handling PII or possibly in this case their update servers should face consequences.
>Enforcing this arbitrarily after big hacks is hardly an equivalent analogy to enforcing traffic violations. It'd have to be consistent, well defined, and widely enforced to be at all effective.
We definitely agree on this.
>To me this is an emotional reaction that has no regard for cause/effect.
The end result will likely result in more companies wasting time of useless theatrics like PCI compliance to protect themselves from legal liability rather than meaningfully protecting users data and preventing their systems from being launch points for bigger attacks.
This is why I'm highly doubtful about the ROI of burdening companies, courts, and law enforcement with this 'solution'.
Even though it feels good to punish a faceless corporation for making a seemingly obvious mistake.
What's wrong with a PCI-like compliance that ensures companies that affect this many people have their servers patched on a regular basis?
Rubber stamps like PCI compliance might look like time wasters. Not all of them are. Given the huge increase in the amount of online credit card transactions, the number of cases where payment information is compromised is very low. That is partly due to PCI compliance IMO.
Not exactly, but I do feel that entities recklessly handling PII or possibly in this case their update servers should face consequences.
>Enforcing this arbitrarily after big hacks is hardly an equivalent analogy to enforcing traffic violations. It'd have to be consistent, well defined, and widely enforced to be at all effective.
We definitely agree on this.
>To me this is an emotional reaction that has no regard for cause/effect.
This particular raid? Undoubtedly.