That's pushing on a string, man. You will never be able to effectively track down and punish every bored Russian teenager.
As Schneier puts it - security is a process. The process doesn't have to be perfect, but there needs to be one. If your process is drastically substandard, someone need to be liable for that. The need for a standards group and a single point of liability follow logically from that, just as it does with other engineered systems. Under HIPAA an individual must be designated a "security officer", and that role should extend to other systems that store Personally Identifying Information as well.
I think the real point of disagreement with many people is about the significance of a data breach. In my opinion (and the standards of the EU) anything that leaks Personally Identifying Information is significant. It doesn't matter if it's leaking from an app that sends fart noises to your friends, only that it can be tied to you or your other accounts. If you really need to be storing PII then there needs to be a requirement to do it securely (meaning in accordance with secure best-practices). Otherwise, again, nobody does it until it's too late.
As Schneier puts it - security is a process. The process doesn't have to be perfect, but there needs to be one. If your process is drastically substandard, someone need to be liable for that. The need for a standards group and a single point of liability follow logically from that, just as it does with other engineered systems. Under HIPAA an individual must be designated a "security officer", and that role should extend to other systems that store Personally Identifying Information as well.
I think the real point of disagreement with many people is about the significance of a data breach. In my opinion (and the standards of the EU) anything that leaks Personally Identifying Information is significant. It doesn't matter if it's leaking from an app that sends fart noises to your friends, only that it can be tied to you or your other accounts. If you really need to be storing PII then there needs to be a requirement to do it securely (meaning in accordance with secure best-practices). Otherwise, again, nobody does it until it's too late.
A good read: https://www.schneier.com/essays/archives/2000/04/the_process...