He should partner with a law firm, for class action lawsuits, for every breach due to negligence (which is probably all of them).
Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)
Optional: Sell data of imminent lawsuits, to an investment firm.
Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.
Heh, such an American response. Sue everyone and everything, lawyers gets paid. But at the end of day, nothing changes.
Meanwhile in EU, we have laws like NIS2, where if negligent in non-compliance.
Fines are 10mil. EUR or 2% of global annual revenue.
Eg.: If Apple gets $8bil. fine, yep that changes quite a lot I think. :)
How does the EU solution make user's whole? At least with class actions, users get to see a few pennies.
I'm not trying to make an argument against strong regulatory bodies. We need those for sure. It would just be nice if the users were compensated for the exploitation and abuse they're subjected to.
The US solution does not make users whole and does not meaningfully change anything.
The EU solution meaningfully changes the offending company's behavior. I would rather have significantly less breaches of my information than a check for $6 in the mail every couple months.
> The EU solution meaningfully changes the offending company's behavior.
Citation needed. I'd imagine they just add a tiny markup to their prices to pay the eventual fine instead of investing huge amounts of money into fixing their broken processes. Comparing the list of EU-issued fines against the respective companies' profits shows that they can simply afford to make those mistakes instead of preventing them.
Great, they meant better acting corporations have no click or single click (dismiss-able with simple add-ons to proactively affirm the user's position) ribbons to get get rid of unwanted cookies. Let's be realistic anyone who hates those banners and hasn't bothered to do the google search and 5 minute task to get rid of them permanently (either enabling or disabling consent) is not having their political opinion changed by them, they are using them as an excuse to buttress their position of government bad or corporations malicious.
The EU solution provides incentive for the government to attack large businesses with lawsuits. That’s predatory and will lead to large businesses trying to lobby the EU to go after their competitors.
It's with American companies in mind. Though I expressly addressed that it isn't about lawyers getting paid, and also how this might change things (motivate companies to behave responsibly, in this regard)
Basically, we have a high-corruption society, especially in 2025, but there's still vestiges of a system that can be leveraged in the public's interest, if you contort just so.
Do either of these approaches actually solve the problem? I think companies won't take it seriously unless their executives do, and their executives won't unless they are personally punished in a way compensation can't compensate for. Cane them Singapore style.
Probably impossible, but create a slush fund where companies that behave badly are forced to pay into so we can do things like fix roads and build housing.
We could instead randomly select representatives instead of using popularity contests where the candidates need money for advertisements in order to get popular, or to just even let people know that they exist.[1]
The idea of fines as a revenue stream has never sat well with me. Fines are meant to be a disincentive. The ideal collection amount is zero. Treating them as a revenue stream creates a perverse incentive to enforce the penalty without disincentivizing the behavior.
This is literally what happened in Belgium when politicians did budget. A piece of the expected slice was traffic fines.
So that means that any kind of system that would improve traffic other than repressive measures would cost them twice, once to fix the situation and again when they can issue less fines.
If I drive carelessly and get a meaningful fine, I'll think twice next time, irrespective of who gets the money. I only care that I am fined. Unless the police starts to administer fines when they shouldn't, all is good, right? What happened in Belgium?
I don’t know about Belgium specifically, but one of the usual issues is that it incentivises aggressive policing of minor issues that make money (like parking violations), which takes resources out of other problems (like mugging).
In some situations (cough random towns with sections of highway running through them in Texas), it incentivizes an approach to traffic enforcement which is barely distinguishable from getting mugged.
That's fine for you personally, and it may sound all good from a logical, theoretical, or academic perspective, however I personally know of people who have lost their license due to multiple fines and "demerit points" (NZ) resulting in that consequence.
The fines, and loss of license hurt them personally, professionally, and financially, but didn't change their behavior outside of the very short term.
In NZ we have people that are in and out of prison due to burglaries, robberies, etc... but the penalties don't change their longer term behavior.
There's a deeper problem, and penalties are important, but not the entire fix.
The occasional fine I get (and the prospect of getting another) does affect my driving habits and attentiveness, and it's the same for people close to me. Can't talk for others, though I'd expect this to be the norm.
Then these people _obviously_ are not fit to drive a multi-ton killing machine at all and should have their license permanently revoked, when they had multiple chances for introspection.
Driving carefully is not a boolean. It's possible to design roads/environments (accidentally or not) in such a way that the “you drove carelessly” metric that triggers the fine statistically applies more often.
Not really. If you hit a person with your car and that person becomes disabled. It will be way more expensive for the govt in the long run compared to a few fines.
Just like police departments use asset forfeiture to get money to buy their “toys” while innocent people lose their cash and cars because carrying cash is suspicious.
I agree with the overal position. Though I believe optimizing to collect zero fines is a bad measure.
A fine can be a relatively just mechanism to show that actions have consequences. And even the best people will occasionally make honest mistakes, so they will just get a fine instead of being persecuted for minor offences.
If fines degrade to a revenue stream, it's an indication something else is off with the financial structure inside the government. At least around here fines don't go into some official's private accounts, but I can see how they might "help" an underfunded department. Thinking about it this way, maybe we should consider funneling fines into a separate pool of money. Though I am not sure what to do when the fines are used to fix damage caused by the action (e.g. ecological damage). Governing is hard :(
If your ideal is a perfect society where everyone follows the all rules all the time you are going to be sorely disappointed. The ideal collection amount is the size of the fine multiplied by the actual occurrence of the offense. And that revenue should be strictly used for rehabilitative or restorative justice. For example, speeding fines should go to road improvements that deter speeding making roads safer. If no one’s speeding, there’s no need for that. But people will always break the law.
> The ideal collection amount is the size of the fine multiplied by the actual occurrence of the offense.
I don't think that's a logically self-consistent idea. The "actual occurrence of the offense" is not an inevitable pre-existing fact, it exists downstream of the size of the fine and efficiency of enforcement. If you fine people 5% of their annual income for going 1 mph over the speed limit, and put more traffic enforcement on the road, fewer people are going to speed.
So to answer the question "what's the ideal collection amount", you have to consider what the costs (economic and social) of rule breaking behavior are, and trade those off with how much behavior can be modified by fines, as well as the costs of enforcement.
Furthermore, just taking the statement at face value, the only way to actually collect the size of the fine multiplied by the actual occurrence of the offense is to successfully fine 100% of offenders or fine some non-offenders, but even if this is possible it's almost certainly not the "ideal" amount of enforcement.
I just want to say that in modern times safety is put as #1 priority, while it's actually always a balance. E.g. we wanted the safest airline industry, we'd close the airports. But we balance the safety vs usefulness.
Yes I agree. I was replying to the suggestion to put the proceeds from fines into a general slush fund. Doing that creates an incentive to use speeding tickets to pay for police overtime and radar guns instead of traffic calming infrastructure.
That says a whole lot all by itself. You acknowledge that reform doesn’t work? There is always money to be made because people don’t like the set of rules set? So when people follow all those rules, make new rules that people will break to keep it going? Where does it stop?
Governments should not operate fiscally like corporations. A financial institution will budget around fees because it's in their benefit for their customers to incur fees. A government should not budget around fines because they want the behavior which was fined to not occur at all.
I think one way to prevent bad incentives is to ensure that the organizational units that create and enforce policies are not the ones that benefit from any fines collected.
Maybe a uniform tax credit/refund for each citizen that is covered by that level of government. We the citizens can then decide if we fix the issue or continue to generate fines, but at least the budget isn't expecting revenue that could disappear (like the lack of traffic tickets during the beginning of COVID).
How about fines go into a sovereign wealth fund (but not be seen as major source for the fund- more a bonus) so there is no short term budget planning based on fine revenue.
It’s a form of regulation. We could also put the sysadmin and the CIO to death every time there is a data breach but we, as a society, have decided that is too extreme. We could also choose to simply wag our fingers and hope the shame they feel will prevent a repeat. Fines seem to strike a balance.
That sounds like a great slogan, but you really don't want a justice system that's has an additional mandate to collect revenue. It's basically civil forfeiture all over again
Getting a company to publicly announce a breach is hard today. Your suggestion would make it even harder, and more data breaches would be kept from the public because of the consequences.
I would rather know that a company messed up and change my password, than not knowing
How? Disclosure should already be legally required--class-actions and lawsuits should already be a thing. The Have I Been Pwned data sets aren't volunteered by these companies. It's a catalog of leaked data.
The class-action response of "identity monitoring" is nonsense. More companies, if they can't afford to or don't want secure data, shouldn't collect it or should aggressively purge it. User data should be a liability.
I'm not sure, the effect would be to increase the riskiness of nondisclosure. If you disclose and get fined, that would be bad, but if you don't reveal and the penalty for nondisclosure is bankruptcy for the company and all its executives, that would be worse.
Only get a couple bucks from these class action lawsuits - give ‘em a 15% discount or something if they own up to it publicly, I don’t mind getting $18 instead of $20
>Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
That's a massive infrastructure change to pay out what would likely be peanuts to users, put a massive maintenance burden on the platform (payments are a nightmare system), and disproportionately benefit a law firm profiting off of the lawsuits and the good will of the brand. Seems like a shit deal to me.
> Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
That's not much of a motivation, given that Troy already is a folk hero.
Ah yes, automated lawsuit initiation, that's what we need! Ooh, we could run every breach announcement through Deep Research and let the AI make a determination on which one is negligence! That would definitely incentivize more transparency and accountability on behalf of companies!
Actually no, the end result of this will be a return to deny, deny, deny, because the worst case scenario then becomes the truth getting out.
IMHO we should be crucifying the liars and the truly negligent, but forgiving the honest and good faith efforts. At least for now, automating that judgment is pretty difficult and will result in more of the "customer service" like experiences that we already get from most big tech, except now it has the power to make or break companies.
Man we have sure moved on from the era of Blackstone's Ratio being a thing people united around. I'm not saying it should be applied literally, but punishing an innocent person should be considered a lot more wrong than not punishing a guilty person IMHO.
“Based on the investigation into this incident, it was determined that the
information involved may include your name, Social Security number, date of
birth, Driver’s License number (if provided), Tribal ID number (if provided),
medical record number, treatment, diagnosis, prescription and other medical
information, health insurance information, member portal username and
password, email address, and address.”
It’s not about innocence or guilt. If you leak so much information these people will have to monitor every single account, credit card, etc for life, on top of all their personal sensitive info being leaked and possibly accessed by unscrupulous employers. The damage is incredible. It’s not about innocence. It’s about responsibility.
I guess I should clarify: for incidents like that, I agree there should be severe consequences and blowback, including class action lawsuits and the like. If you are collecting stuff like SSN, DoB, DL number, etc then you definitely have a huge responsibility to protect that. I want to make data like that radioactive to collect so people think very carefully about whether they want to take on the liability.
What I don't think should happen is some automated lawyer combing the internet looking for any disclosures and then automatically filing lawsuits based on it.
We can debate semantics but if you describe yourself with a job title attached to a company then I suggest that you have an association which looks rather like ... employment.
It's not a job title, it's some Microsoft program, like their MVP program.
The RD site linked from Troy's site isn't loading for me at the moment, but if you search "what is the microsoft regional director program" you get back information making it clear that it's not for MS Employees.
> The Microsoft Regional Directors program recognizes industry professionals for their cross-platform technical expertise, community leadership, public speaking[...]
You can be sure that the confusion is not accidental.
As I see it, it's a way for MS to profit from free labour for it's support service and a marketing stunt to benefit by association from the good reputation of this researcher and his initiative.
Even if it is not the case, people like the one previously will think: it is Microsoft employees that are managing this website, they know security.
Its not semantics at all, you just are excusing your own misunderstanding. He didn't describe himself with a job title, and he even explicitly states directly after listing those awards, that he is not an employee of Microsoft.
Extending your logic, I have a CCIE, so if I ever state I'm a CCIE, I'm an employee of Cisco? I have a masters degree by coursework from a university, so I I ever state I have an Msc, I'm an employee of the university? I have an electrical licences issued by EnergySafe Victoria, so if I say I'm an A-Grade Electrician, I'm an employee of EnergySafe Victoria?
I don't think many people would be confused into thinking a Microsoft Certified Application Developer or an AWS Certified Cloud Practitioner are actually employees of those particular companies
> I'm saying those are bad attempts to argue that it's not a confusing title.
You might want to reread, nobody was arguing that.
> We can debate semantics but if you describe yourself with a job title attached to a company then I suggest that you have an association which looks rather like ... employment.
"Debating semantics" is arguing about which definition to use. There is no valid definition under which you can say that Troy is a Microsoft employee.
You can't say "I'm not wrong, You're just debating semantics", all you can say is "I was wrong because I was confused by a misleading title I wasn't familiar with."
cupofnotjoe pointed this out and got a bunch of responses from people with poor reading comprehension who entirely missed his point.
Edit: I use 'you' in the general sense here, not specifically the person I'm responding to.
> Its not semantics at all, you just are excusing your own misunderstanding. He didn't describe himself with a job title, and he even explicitly states directly after listing those awards, that he is not an employee of Microsoft.
Yes, I agree. (I believe you think I am arguing against this; for clarity, I am not).
> Extending your logic, I have a CCIE, so if I ever state I'm a CCIE, I'm an employee of Cisco? I have a masters degree by coursework from a university, so I I ever state I have an Msc, I'm an employee of the university? I have an electrical licences issued by EnergySafe Victoria, so if I say I'm an A-Grade Electrician, I'm an employee of EnergySafe Victoria?
I think these are poor examples and reinforce that the confusion was reasonable. That is the only point I've been arguing in this thread.
Nobody is really disputing that Microsoft chose a confusing award name. However that name being confusing doesn't mean he is an employee or anything really like an employee.
Directly adjacent to the post it says "Hi, I'm Troy Hunt, I write this blog, run "Have I Been Pwned" and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals"
That reads to me like he's a Microsoft Employee. It's obviously important/significant enough to include it prominently on his website.
"Microsoft Regional Director" is not a job title. It is an award that Microsoft gives out only to non-employees.
You might think the award has a confusing name, and you would be correct. What you cannot be correct in asserting is that an award makes someone an employee because that award has a confusing name. That isn't a question of "semantics", if you assert that award makes him an employee, you are simply wrong.
I'll repeat what I said in a related thread: I'm not saying it makes him an employee. I'm saying those are bad attempts to argue the title isn't confusing.
I'm not sure what you're rebutting. This is roughly the thread as I understand it:
1. "Extending your logic, I have a CCIE, so if I ever state I'm a CCIE, I'm an employee of Cisco? [other examples follow]"
2. "All your examples are not things that commonly are job titles, so you are not 'extending logic'."
3. "They are the same class"
4. "No they aren't, those are not job titles, thus they don't imply employment"
...
#. "those weren't attempts to argue the title isnt confusing."
I don't know what you're reading but #1 is doing just that; roughly translated: "Why would 'Microsoft Regional Director' imply he works for Microsoft? If I have a CCIE does that mean I'm an employee of Cisco?"
#3 Being a Microsoft Regional Director makes him an employee and any claims otherwise are based on some arbitrary semantic distiction, not a real difference
#4 No, there is a real difference. That award is like these other awards and none of them take you anywhere near being an employee.
#5 the arguemnt in #3 is flawed because MRD is confusing and the example title others aren't. (Which misses the point, that using non-confusing examples is much better than using other confusing examples if you want to explain something.)
#6 that doesn't affect the argument being made in #4
#6 repeat ad nauseum
Troy is not a Microsoft employee, no ammount of semantic wiggling will make him a Microsoft employee, no matter how confused people are by the title of the MRD award. That confusion may be justifiable, but doubling down when your error has been explained is not.
"Microsoft Regional Director" is not a job title, it is an award. You thinking it sounds like a job title doesn't make it a job title, it makes you confused. Being given an award does not make you an employee, especially when that award is only given to non-employees.
You ar correct, "Microsoft Region Director" is an award, not a certification like the others mentioned so they aren't quite the same class, but the analogy still holds. Neither being given an award nor a certification makes you an employee.
Tie in to a banking service, so you can do direct deposits to many millions of people, every time there's new settlements paid, and you'll be a folk hero.
Get lawyers who want negligent companies to actually regret the breaches, with judgements that hurt. (Rather than a small settlement that gets lawyers paid, but is only a small cost of doing business, which is preferable to doing business responsibly.)
Optional: Sell data of imminent lawsuits, to an investment firm.
Though, ideally, investors won't need this data, since everyone will know that a breach means a stock should take a hit. Isn't that how it should be.