> I sincerely hope that we fill see massive fines, people lose their jobs, and perhaps some more severe criminal charges brought against those whose negligence caused this.
TBH I find this “off with their head” mentality to be counter productive. Sure, if someone broke the law then administer justice. But it’s not addressing the root cause. What systemic weaknesses led to this scenario, and what systemic changes can we make to prevent it from happening again? That’s a much more productive discussion to have, although doesn’t appeal to our baser instincts and so won’t score easy political points.
I agree with your point. It is complicated since everytime humans become outraged about something, their emotional side tends to take over and they tend to look for someone(s) to blame and a head(s) to roll without taking all aspects into consideration, for example:
* How to pin-point one or a group of individuals to blame within the company? What if it is someone that has long moved to another company?
*Does finding a scapegoat and forcing someone out of their jobs resolve the matter? Whats the impact in that person's lives? Was it just for the masses to feel better?
To be honest, I think society is rewarding the wrong attitude in some cases. Someone in the reporter's position should have raised the issue to the relevant authorities and after the issue was resolved (at least partially), he should have made a request to publish an article talking about what happened, how many people could have been impacted, the actions he took. The outcome could have been that the reporter receives an award for his work and appreciation from society for raising awareness in the area, the government talking about concrete actions they have/will take, other companies and society works towards improving said issue.
Deterrence is important. It is unacceptable for any company to be this negligent about highly sensitive personal data. What leads to these kinds of situations is that the company didn't care about security at all. Even now the company reported the journalist to the police.
Thanks for the feedback. I wrote this post and I would like to clarify:
I did not intend to say that we should go outside of the confines of the law here and lynch anyone. But I sincerely hope that our legal system has the power to punish gross negligence (I mean that in an everyday sense, not as a legal term) and that officials and CEO's can't get away with anything by just burying it under several levels of procurement. The company in question was obviously not competent enough to handle the data that they received, and it is gross negligence to take on this kind of project without doing a proper audit of their systems and methods. At the very least, their handling was against GDPR, which should result in fines.
Yet somehow, they ended up with the project. That is negligence on someone else's part. If you're hiring contractors to build a highway bridge, you should be held liable if you pick the local carpenter to do the job, just because they say they definitely know how to make it out of wood. I hope that the legal system can punish governmental officials and government contractors for handing off sensitive data to a party that isn't even aware of how incompetent they are, and that merely the procurement can be considered illegal.
If my hopes are not fulfilled, and one can indeed hand off all responsibility in a procurement process, then I instead hope we will see the law change in this regard.
As for people losing their jobs, I think that warrants no explanation.
Still, I agree: the issue isn't bad actors, the issue is the process, and it needs to be addressed. But part of a good system is not letting contractors getting away with bullshit, and making sure something is at stake when you take on a contract. If you can walk away from this wreckage without consequences, what's to stop you or anyone else from continuing to play fast-and-loose (which is usually the cheapest way to do things) with the public's data, raking in the payments and shrugging it off when things blow to pieces?
I understand I could have made that clearer, and I'll think about how to change my wording, or adding a footnote or something.
TBH I find this “off with their head” mentality to be counter productive. Sure, if someone broke the law then administer justice. But it’s not addressing the root cause. What systemic weaknesses led to this scenario, and what systemic changes can we make to prevent it from happening again? That’s a much more productive discussion to have, although doesn’t appeal to our baser instincts and so won’t score easy political points.