Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I wish a country would pass the following law:

1. Any company that makes software with low-level access to systems (i.e. admin privileges on Windows, root privileges on UNIX systems) is criminally responsible for any security breaches of its software, unless it can prove that it took all reasonable steps to keep their software safe.

2. The CEO and CFO will receive a mandatory 30 day jail sentence on the first instance of a breach with consequential damage.

3. The jail sentence will be tripled if the company downplayed or omitted to report any security breaches.

4. The minimum sentence increases by 30 days for each subsequent breach linked to an executive, and resets after 10 years of no breaches.



I get the outrage when a company leaks its customer data due to a security breach (or, really, for any reason). But punishing the victims of a crime to encourage better protections? Isn't that the same as to punish house owners in case of burglary for failing to protect their home appropriately?


I’m not in favor of this. For this to be reasonable, coming from someone who writes exploits for work and fun, you need to define all. Otherwise you’ll be unreasonably putting people in already overcrowded and underfunded jails. Instead of jail, consider a more reasonable and realistic punishment.


> criminally responsible for any security breaches Criminally? A bit wild. MIcrosoft would probably be bankrupt by now. Just look at PrintNightmare from this week.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: