Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Doesn’t this incentivise companies to Not disclose breaches?

At least, it puts a ceiling on the price a hacker can extort.



Deliberately not disclosing the breach would likely result in much larger fines.

>If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO;

https://ico.org.uk/for-organisations/report-a-breach/

> The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.

https://ico.org.uk/for-organisations/guide-to-data-protectio...


There is no definite scale for the fines though, i'm pretty sure negotiating with the hackers will be cheaper 100% of the time. This is interesting from a free market perspective: The undefined cost of the fines would lead to the discovery of the true price of data leaks by negotiating with thieves.


> There is no definite scale for the fines though, i'm pretty sure negotiating with the hackers will be cheaper 100% of the time

This will not be true if any paid-off breach is ever discovered as then you'll have paid the hackers and the fine, which will be larger because you've deliberately kept it from the ICO/similar.


What negotiating though? If your huge customer, orders and/or payments database is exploited and dumped and then used for identity/CC fraud, there is no negotiating with hackers. You will be found out eventually due to the proliferation of sold information and data dumps in the black market, which are then analysed by researchers. Then you will be fined possibly twice instead of once or not at all, since you also failed to report the breach.

I fail to think of relevant common situations where negotiating with the hackers would be an option in breaches relating to GDPR.


Do you mean they should pay off the hackers or ignore that a data breach ever happened? If it's the former then there's some obvious risks there and it's an expensive gamble. If it's the later then it's likely discoverable without their involvement, one of their millions of customers will enter user+mariot@gmail.com as their address and registering that with https://haveibeenpwned.com/ ?

The lack of discovery/disclosure also covered an acquisition, companies not disclosing breaches during acquisitions is something I bet the SEC would be interested in.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: