Marriott's customers are victims of Marriott's negligence.
I'd argue it has nothing to do with corporation or non-corporation. If someone is injured in a car accident due to an unfastened seatbelt, the driver is also potentially both a victim (assuming they weren't at fault for the accident) and guilty of negligence (for not making sure safety equipment was used properly).
This is what civil courts are for, there’s no need at all for a new law. A general frustration that’s pretty common in internet communities is how regulators and legislators deem it necessary to create so many new laws just for the internet. We expect that the 4th amendment should apply to our packets just as it does our mail, and houses, and persons. So I can’t help but see hypocrisy whenever I hear demands that companies should be financially or criminally punished after being a victim of a cyber crime. If there’s a legitimate tort, then you already have legal recourse.
More like, if a car is caught in a pile-up accident, it is both guilty of hitting the car ahead and victim of being hit by the next car. If he was pushed by the back car into the front car, and took all necessary precautions, he can call for a kind of force majeure and make the back car pay for both, but the agressor has to be formally identified. Mariott didn’t take enough precautions to pretend being victim of a hacker.
"Mariott didn’t take enough precautions to pretend being victim of a hacker."
Marriott was literally, prima facie, the victim of a hacker. The data didn't steal itself. Someone trespassed into Marriott's network and stole data that did not belong to them.
Legal culpability, while certainly not the strong point of HN, is a thing. Negligent, grossly negligent, and reckless conduct are technical terms that exist and have meaning.
I'm sick of replying to this because I don't like defending Marriott in this case. I hope they get a painful class action ruling. I think legal reforms around this are needed, but I am entirely unconvinced anyone here has a reasonable framework of regulations that would benefit anyone.
I was confused by this comment but I think what you're trying to criticize is this: "Mariott didn’t take enough precautions to pretend being victim of a hacker."
I agree with that criticism. It's not a crime to be a victim, but being a victim also doesn't mean you're not guilty.
Marriott might, however, still be liable for some damages due to not following common security practices for sensitive personal information. Anyone from California, for example, would have § 1798.81.5 [1] and § 1798.91.04 [2] which would backup their right to have their data handled properly. The FTC might also get involved with their fairly broad powers to protect users privacy (though that agency has been limited in this administration).
For the record I didn't think anything you wrote warranted a downvote and hope my response (though sincere, and I definitely disagree with you) didn't cause anyone else to downvote your comment. I don't think it varies much from much of the sentiment expressed in this discussion.
Marriott is the victim of "cyber" crimes.
Marriott's customers are victims of Marriott's negligence.
I'd argue it has nothing to do with corporation or non-corporation. If someone is injured in a car accident due to an unfastened seatbelt, the driver is also potentially both a victim (assuming they weren't at fault for the accident) and guilty of negligence (for not making sure safety equipment was used properly).