
Adobe To Pay $1M For Data Breach, Bolster Security, North Carolina AG Says - lun4r
http://www.ncdoj.gov/News-and-Alerts/News-Releases-and-Advisories/Press-Releases/Adobe-to-pay-$1-million-for-data-breach,-bolster-s.aspx
======
jbandela1
This data breach nonsense with slaps on the wrist is very easy to fix. Just
have the government assign a dollar value to each piece of private information
and allow for class action lawsuits for data breaches.

For example

Social security number $5000

Credit card number $1000

Address $500

Telephone $200

Email $100

~~~
MarkMc
There are lots of shady lawyers out there, and this would give them an
incentive to pay hackers to increase the size of data breaches.

~~~
graeme
Indeed. Seems like a cobra effect situation:
[https://en.wikipedia.org/wiki/Cobra_effect](https://en.wikipedia.org/wiki/Cobra_effect)

~~~
fgonzag
But it wouldn't be a reward. It'd be a fine paid to the government. The only
real reason with malicious intent I can see from it is people intentionally
hacking companies to bankrupt them or cripple them. But that just means they
had weak security anyways

~~~
graeme
The OP was talking about class action lawsuits. The plaintiffs in class
actions are individuals, not governments. I took that the mean the OP was
talking about penalties to private actors, rather than to governments.

------
arkadiyt
Adobe made $1.46 billion in revenue for Q3 2016:
[http://news.adobe.com/sites/adobe.newshq.businesswire.com/fi...](http://news.adobe.com/sites/adobe.newshq.businesswire.com/files/press_release/additional/AdobeQ316Earnings.pdf)

~~~
josu
Also, increasing their security team by 1 engineer would have cost them more
than $1M (assuming a salary of $100K). So from a pure economic standpoint it
makes more sense for them to keep paying fines in future breaches.

~~~
67726e
How does a salary of $100,000 cost more than $1,000,000???

~~~
mgkimsal
based on HN math I see promoted with respect to engineer costs, an employee
now costs a company 9-10x their salary.

but the op might have been meaning over a 10 year period... ?

~~~
lawnchair_larry
That is not remotely accurate

~~~
mgkimsal
my sarcasm tag wasn't working.

every year I see numbers going up in discussions here, with a recent claim
that a netflix engineer cost was $430k (salary + overhead). _sr_ engineers at
netflix on glassdoor were touching $200k - the "cost" (wild-ass guess on part
of the poster) seems a bit out of whack, and I was negatively exaggerating for
effect.

But also I originally thought this was damages for a long-running practice -
it wasn't. A 2013 data breach, from the article.

NC is getting a whopping $70k from this - likely many multiples of that eaten
up in time/money and opportunity costs. I've seen a bit of "yay, there's
precedent for paying a fine for this sort of thing" but this fine just put a
price on this sort of activity. Data breach affecting someone in NC? You'll
face a fine of $1.50 per account. :/

------
abhv
I am not aware of other firms that were fined by the government for their
negligence w.r.t to a breach. I would applaud the NC AG for pursuing this.
Despite the small amount, it sets a precedent. The second time Adobe fails, I
presume their fine will ratchet up. Remember, they were using DES ECB for
their passwords

------
ocfnash
> A total of 52,734 North Carolina consumers were affected.

And also 152,989,508 email addresses were leaked, with sufficient information
to derive the password in many cases.

I got interested in this at the time and was pretty stunned at how easily I
could mine passwords: [http://olivernash.org/2014/01/03/dna-of-a-password-
disaster/...](http://olivernash.org/2014/01/03/dna-of-a-password-
disaster/index.html)

------
mjul
The extraterritorial EU General Data Protection Regulation (GDPR) sets fines
of up to 4% of global annual revenue for companies not sufficiently protecting
the personal data of EU citizens from May 2018 and onwards (with a cap of 20
million EUR).

The requirements for compliance are absolutely non-trivial, so I suggest that
startups (and older companies) start designing compliance and privacy into
their business processes and systems already today.

~~~
mbrookes
EUR20m isn't a cap - the fines are up to EUR20m or 4% of annual worldwide
turnover, _whichever is higher_.

------
qjighap
Do they have a feed into security yet? At the time I reported the release of
all the emails and I couldn't get past first line support. They kept telling
me that spam wasn't their problem.

------
0xmohit
That amounts to less than 2 dollars per affected customer.

Leaves corporates with very little motivation to take such breaches seriously.

