• Vub@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    10 months ago

    Kind of worrying when their source is a “data breach information website” that does advertorials for “the most safe password manager” NordPass. 🤮 The internet of today has become a pile of absolute shit.

  • demesisx@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    edit-2
    10 months ago

    I have a solution:

    governments should heavily fine companies that are subject to data breaches.

    If it cost them real money (proportional to their market cap, the amount of customers affected, and/or the severity of the breach) to allow a data breach, I’m betting they’d shore up those holes REALLLLLLLLLL QUICK.

    • bleistift2@feddit.de
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      10 months ago

      Article 82, paragraph 1 of the GDPR:

      Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

      Paragraph 2:

      Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation

      Article 24, paragraph 1:

      **[T]he controller shall **implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.

      Article 5, paragraph 1f:

      Personal data shall be: […] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss,

      Article 83, paragraphs 2 and 5:

      Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

      Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

      (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

      Article 4, paragraph 7:

      ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

      (All quotes are excepts, emphasis mine

      https://gdpr-info.eu/

      • bartolomeo@suppo.fi
        link
        fedilink
        English
        arrow-up
        0
        ·
        10 months ago

        I got lost in the comments… why did you paste that here? To show that it is possible to make the data controller liable for breaches?

        • bleistift2@feddit.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          Exactly. This is supposed to show that what @demesisx@infosec.pub demands is already law in the EU.

      • demesisx@infosec.pub
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        edit-2
        10 months ago

        I think we can both guess why these companies never really face penalties that hurt them materially despite this being codified into law in the EU…