243 comments

[ 3.2 ms ] story [ 198 ms ] thread
"Data maximisation is the norm" is a big point. Emphasize that. If they are looking for a punitive legislative approach to curb breaches, remind them it's not just the "how", but the "what". Between HIPAA and SOX and the like, they are familiar with the burdens that come with different data types. Hopefully, between differentiating types of data and discouraging storage of data for other (law enforcement?) use, we can just have less data stored in general. At some point, companies should see data as a liability.
I agree, this is a nice convergence point between non-technical, comprehensibly regulateable and high impact. It's for sure the message I'd like to leave lingering in their mind.
Yes, this last point. I’ve had to get legal involved to stop data nerds from warehousing PII we had no need to even collect in the first place

Point out the liability of having information we shouldn’t and that stuff ends really fast

Principle of least privilege access. If you don’t need my info, gfy

> At some point, companies should see data as a liability.

This is key. Currently, there appears to be no business downside to collecting PII, so companies collect as much as they possibly can. If, through regulation or some other means, data became a liability (or at least came with some downside risk) then perhaps companies would become more thoughtful about what they tried to collect and store.

Seems to differ between companies. We have seen PII as a liability since early on, but more so as we move closer to GDPR.

GDPR forces us to justify and be transparent about each data point we collect.

This has increased the urgency of cleaning up any non required data points, adding expiration to data and moving data from subcontractors in house.

Guess that a lot of companies are in our position.

GDPR seems to be particular to europe. It might be better to say it differs between countries, rather than companies.
GDPR affects any company that has european customers. So a lot of non-EU companies will be affected.

Guess it will be harder to enforce when a company does not have an EU sub though.

(comment deleted)
I think this is key. All the conversations we're hearing are about data breaches. In my opinion, that's merely a predictable and unavoidable symptom of data hoarding.

We need to move toward a recognition that collecting PII is inherently dangerous. Holding on to PII forever is inherently dangerous. And that's before the not insubstantial privacy risks these databases incur. I worry that any policy that solely concentrates on breaches is just going to lead companies to gamble that they won't be in the relatively small minority of companies that actually get hacked.

What can we do to incentivize a CTO not to have a customer database, or failing that to keep her company's database as minimalist as possible, even if she is 100% certain that database will never be stolen?

Tell them that data breaches will be a thing of the past if they pass two laws:

1. Criminalize moving PII out of the country. 2. Personal liability for every person involved in gathering and protecting the data, and those involved in managing the teams and companies.

The fact that people can get paid while externalizing the downsides of their failures is why this is a problem. Make the personally responsible and it goes away.

(comment deleted)
What's the point of "Criminalize moving PII out of the country" ?

Most of the risk comes from people who are already inside your country, or from people who break into your servers and therefore won't care about moving it outside your country.

Point 2 becomes meaningless if a company can just move their operations off shore while fully operating in your country.
> 1. Criminalize moving PII out of the country.

Please, please, don't. This forces global-scale operations to build computing in a number of places around the world to comply. National boundaries are meaningless on the Internet, and we already have enough of those jurisdictions in existence that doing global-scale operations with PII or even GIS data is an international legal minefield. Do you really want to suppress startup development by forcing global services to talk to 200+ different lawyers about what they're doing, in the long term?

I've worked on products where entire datacenters are forced to exist in order to comply with a law somewhere. Like this law, which I bet you didn't even know existed:

https://www.quora.com/Why-is-Google-Maps-unavailable-in-Sout...

> Personal liability for every person involved in gathering and protecting the data

I think it should only be the business that incurs the penalty. That way it is the business that is motivated to sufficiently train and oversee the employees.

Otherwise, you have employees on the hook, with employers incentivized to make them take shortcuts.

> Personal liability for every person involved in gathering and protecting the data

So basically you want a law requiring all employees to hide any evidence of a breach?

It reminds me of the law requiring all TV's to be quietly dropped of at night at a random neighbor, because it's no longer legal to throw them away, and the legal methods are expensive and inconvenient.

You are out of your mind. Please just stop and think about what you are saying before posting.

You essentially want to go to prison for something your co-worker overlooked.

When Troy Hunt is testifying before congress you know that at least some part of the government is functioning :)

I don't know where it fits in but I wish congress understood how silly it is that knowing our birthdays and SSNs is still treated as proof of our identity in 2017

> When Troy Hunt is testifying before congress you know that at least some part of the government is functioning

That's if it's not just a ruse to lure him to the US where they can then arrest him for being in possession of too much illegally-obtained personal info.

That would be an international scandal. Heck, it's not like we're unfriendly with the Australians anyway.
Look to GDPR for ideas. The EU is moving into a "privacy by default" direction of making companies increasingly more liable for hoarding user data that's not absolutely necessary for the functioning of the service. I believe a technical committee of the EU Parliament has even proposed to encourage end-to-end encryption use for services.

Here's an excerpt:

> The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data. Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services

http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2f...

And here's an article, too:

http://www.bbc.com/news/technology-40326544

To me, the main issue is accountability.

A citizen's data can be collected, badly secured, stolen, and used by criminals without the user ever being aware of step 1. Just like a citizen can get ill from swimming in a river without ever being aware of the factories upstream.

The solution is not to force citizens to constantly be on the lookout. It's to severely punish polluters and leakers.

When a CTO says "let's collect geolocations", the CEO should should have legal and business reasons to say "no way, it's not worth the financial risk of losing them; it could destroy our company."

---

Update: I do not think the government should mandate specific practices; it's too complicated, too fast-changing, and too hard to police.

It should be entirely results-based. You lose people's data, you pay big bucks. Figuring out how not to lose it is your problem. The government sets the rules, and the market plays the game.

Agreed. However, the punishment shouldn't just be financial, otherwise it will just be risk-assessed.

How about a ban on the data collection for a period, or lose the ability to use it.

I disagree. "You can't use the collected data anymore" is a million times harder to enforce than "pay us ten billion dollars."

> otherwise it will just be risk-assessed.

The key is to make the cost so large that the risk isn't worth it.

What's my geolocation history worth to Google? $20? $200? Make them pay $2,000 if they lose or misuse it.

Sure, maybe they'll buy "data loss insurance". But even then, there will be motivation to do things better. Eg, the insurer will refuse to cover claims where proper encryption wasn't used, will prorate policies based on data collected, etc.

From May 2018 in the EU the maximum fine for a data breach is €20m or 4% of global annual revenue. This is due to the GDPR.[0]

[0] https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

So after a certain point, the bigger the company the lower the fine? 20 million is 0.01% of Apple's turnover.
4% or 20 million, whichever is greater.
Whichever is greater, Apple would probably pay about 20 million * 400 (going by 0.01%) => 8 billion dollars.

Which I think would hit Apple rather hard.

>>>I disagree. "You can't use the collected data anymore" is a million times harder to enforce than "pay us ten billion dollars."

Not especially hard; you send in auditors to delete the collected data from all servers. Oh, that kills the company? Too bad.

It wouldn't fly. And the data may have been "laundered" intentionally or not - used to send emails, get new customers and social media contacts, etc. It may be hard to even trace anymore.
Define 'misuse'.

If they sell ad space based on your geolocation, is that a misuse?

If they sell your geolocation, ip address, and search history together, is that a misuse?

Doesn't that still end up being financial? If someone is banned from collecting data and is later found to have been doing so anyway, the most likely recourse is fines, right? Or are you suggesting this would imply criminal consequences (i.e. jail)?
What's wrong with that? You get the socially optimal amount of data collection.
How about financial plus the CEO, and any management lower provably found negligent, can't work in a role where they have responsibility for data handling (which includes not being superior to anyone who is data handling).
Well put and a great analogy. I hope Troy uses it. Politicians pay attention to soundbites like that because they realize how those soundbites could be used against them if more people hear about them, too, and then find out their representatives did nothing to stop the companies from "harming the data environment."
The financial penalty needs to be in two parts.

1. a cost for losing personal data.

2. a cost per person's data that was stolen.

That ensures there is a minimum penalty. Enough to make it CHEAPER to take a lot of security measures, even if you don't have many people's data yet. But also a gigantic penalty for the next Equifax.

Be careful of not setting the fine high enough to motivate companies to cover up breaches instead.

No one would have known about Equifax if they had not self disclosed. It doesn't even have to be the CEO - if I am the employee who is about to cost my company $$$$, I might just quietly fix it and say nothing.

Covering up data breaches should be straight-up illegal, as in prison time. If I am the employee who is about to cost my company $$$$, I'd much rather report it than risk going away.
(comment deleted)
> Covering up data breaches should be straight-up illegal, as in prison time.

Is it also illegal to cause a breach? Do you understand the backwards motivations you are giving people?

He can disclose the breach, cause himself (or his co-workers) to risk prison, and cost his company $$$$, which is likely to get people fired.

Or,

Cover the whole thing up (i.e. quietly fix the bug), and no one will ever know.

And if they do find out, he can say "I didn't know anything about a breach, I proactively fixed a bug, I didn't realize someone had taken advantage of the bug" - i.e. he's safe either way.

There are two separate infractions here that shouldn't be conflated: allowing a data breach to occur, and failing to disclose a breach.

As far as I can tell, the perverse incentive you're describing is that the if the penalty for a breach occurring is too harsh, it could lead companies to cover up a breach rather than disclose it. A penalty for failing to disclose a breach would be meant to discourage that, and I don't see how that penalty is itself a perverse incentive.

The penalty for a data breach must be harsh enough that it would cost a company more than it would to guard against it. I don't believe that there exists a penalty that satisfies that condition yet is also light enough that a company wouldn't cover up any breaches that occurred.

Triple the fines in the event of a coverup would probably help too.
I agree. If my boss instructs me to implement data collection, then the company must be liable for everything that proceeds from there. Full stop. If that is too much of a risk, then companies will have to NOT COLLECT DATA.
Under the European GDPR regs coming in next may it will be illegal not to disclose.
And GDPR regs apply not only to EU citizens, but also US citizens residing in the EU.
And to US companies who do business with EU citizens and to the data of US citizens who have business with EU companies

Or anything that touches the EU, really.

This is a good point. The higher the penalty, the more incentive we provide for sweeping things under the rug. We have to have a sane balance.
I understand the problem but I am not sure what a sane balance might be. In general a data breach is something companies want to avoid already.
If we had the will to implement law, this would be laughably easy to solve: A 'checks and balances' approach of [personal criminal liability of the individual] vs [financial liability of the company] would work quite well:

Person(s) act to cover up a data breach -> Individual criminal liability -> A long time in federal PRISON.

A data breach is disclosed -> Massive FINES on the company (up to and including liquidating and shutting the company down), but no personal liability or criminal charges.

So, the only really hard part of this problem is the political will (vs lobbying / powerful people) to implement law at all to address this. Until we start taking privacy and data leaks VERY SERIOUSLY from the perspective of liability, nothing will happen. Sadly, to me this means nothing will happen :(

So basically if I disclose a breach I lose my job because my company no longer exists?

Vs. Pretend I never saw any breach (how will you prove different?) and have a chance to avoid all penalties?

This is a very legitimate question if the corporate death penalty is on the table. Maybe a better option would be C-level or VP and above have to go?
If you disclose a breach you might lose your job as the company might go down (financial liability for the company for losing personal data). But if you try to cover up the breach (pretend you never saw it) then you risk going to jail (personal criminal liability).

You get the idea. If the legal system was setup like that, you would be better off disclosing the breach and losing your job rather then risking prison time. You can always find another job.

No, if you disclose a data breach you get a small part (1-10%) of the total liquidation of the company before it goes out to pay the rest of the claims. Perhaps have some sort of national unemployment insurance for the rest of the employees paid for by another small part of the liquidation.
How about just straight un-employment but higher benefits (initially 100% salary/wages as normal) for employees who's companies shutdown or restructure?
No, if you disclose a data breach you get a small part (1-10%) of the total liquidation of the company before it goes out to pay the rest of the claims.

That creates an incentive for employees to cause data breaches and then disclose them for massive profit.

> That creates an incentive for employees to cause data breaches and then disclose them for massive profit.

I think this is a false premise. What is to stop an IT employee from installing Oracle database in production without a license (assuming technical leadership is incompetent like at Equifax), waiting for a bit, and going to the BSA or Oracle and saying, "hey come get your pay day".

One, I think anyone with a shred of ethics won't do it and two, I think if we put the ceo AND the board in prison for the actions of the corporation and its employees (while following directions), then we create a strong incentive for corporations to be of manageable size. Now, I hear a lot from our politicians crow about how much they love small business and how much they hate "too big to fail". This will be a big boon for that. However, I am not holding my breath.

Have the standard penalty for if a third-party discovers and reports the breach. Reduce the penalty if the breached company finds and discloses it themselves. Increase the penalty if they knew about the breach but did not disclose, and give the difference to the whistleblower.
Ha, this would actually totally work.
This is a bad idea; it just raises the cost of entry for startups unnecessarily. Liability should be in proportion to harm actually done, and harm actually done is in proportion to how much personal data is compromised.
I had a non-technical friend whose fatalistic impression was that "these things happen and there's nothing that can be done given a determined attacker." Well, look, I said, these hackers aren't going in like Mission: Impossible. Equifax was incompetent, and there's zero penalty for utter incompetence. There must be.

The Equifax hack was the equivalent of data malpractice. It's like a hospital mixing up the labels on saline and hydrogen cyanide and then saying, "Whoops. Sorry about that." The cavalier attitude that companies have about data security infuriates me. Americans will be dealing with the repercussions of this for the rest of their lives.

Meanwhile, Equifax keeps making money.

Equifax's entire business was trading off of our data, but protecting that data was evidently not a priority for them. They should be fined into oblivion.

My opinion is that information about you should belong to you. Other entities should not be allowed to keep or trade information about individuals without paying them directly.

That way people will realise that their personal info is worth something.

The problem is this is effectively a reputation score; only you have very limited rights to see it* (once a year, per agency; and only if you ask... Oh and BTW, I pulled /all/ of mine just before it came out that the breach happened; :( )

Also a problem; they use simple knowledge of a single magic number as authentication ('identification').

The three current companies in the US could have gotten together and worked around the lack of a national ID and created a private SIN cryptographic... but that would cut in to their profits. Though I hear other countries that have done this also have issues with 'business individuals' being contacted and scam attempts rampantly abusing their data...

> Other entities should not be allowed to keep or trade information about individuals without paying them directly.

To be the devils advocate for a moment, what about the other side of that? Should businesses not be able to keep and share records saying "This person owes us money but refuses to pay"?

>Should businesses not be able to keep and share records saying "This person owes us money but refuses to pay"?

No, because you would have practically no recourse if you were wrongly on such a list, and might not be able to prove you even were on it or that it exists. It's called "blacklisting".

You have a common name and share a birthday with a felon? Say goodbye to your chances of getting a credit card!

The biggest issue there is for screening for guns and some employment screening.

If you’re name is John Smith, good luck!

That's not how credit reporting laws work the United States.

It's true that they could/should be stronger/tightened/held to a higher standard, but there is a process to dispute your credit file. Creditors are legally required to give you certain information when they deny you for credit.

That is not how the credit reporting laws work, but it's how the system works.

That process is extremely flawed and unreliable. Have you ever tried disputing your credit? good fucking luck. I've been arguing with Equifax for over a year because they "have it on record" that I lived somewhere that I've never lived. I have no legal recourse unless I want to spend thousands of dollars on lawyer fees.

You shouldn't need a lawyer to pursue them. Assuming you're within the time periods prescribed in the FCRA, you can file your own complaint in your local small claims court.

Before that, I'd send them a letter clearly marked "Notice of Intent to Sue" (on the letter and envelope) stating what information is incorrect, and that you plan to file a suit in [insert name of small claims court] on [insert reasonable date] seeking $1,000 in damages for each violation per 15 USC 1681(n), unless the disputed information is removed before that date. And enclose any supporting documentation, and history of previous fruitless correspondence.

IANAL, but this has worked for me before with the credit bureaus, and I've never actually had to file the threatened suit. My best guess is that threatening litigation gets the case assigned to a legal team that is actually empowered to correct errors. It's a shame that that's how they've chosen to run their business, but then again, I'm not their customer, I'm their product.

HN is all like "speech should be free and unlimited and protected always... Unless someone's talking about me."

That sort of hard stance seems extremely unworkable. If I sign up for Hulu they need my email and billing information at the least. So they are supposed to pay me now because I gave them that to get a service? So then ot evens out so my streaming is free now? Goodbye any useful paid service. Goodbye any free service.

What you're really advocating here though is abolishing free society as we know it.

You think I'm kidding? All court proceeding would have to be in secret and unrecorded as saying "so and so convicted of manslaughter" is now illegal. All public records abolished entirely, no accountability anymore. No journalists could publish a story about anyone ever. Harvey Weinstein sexually assaults hundreds of women? Can't tell anyone or publish that information, Harvey Weinstein owns it. Even telling someone else about your date last night would become illegal.

I think gp ment commercial data, with the aim to prevent the resale rather than collection.
Though, it would seem like data in general is more commercializable now than it was a century ago.

I certainly don't want to be the person to have to draw a line in the sand between "non commercial data" and "commercial data".

Then again, maybe I want to sell access to brain scans of people using hardware I made to a 3rd Party in the future… :P

Its not any harder than labeling things for tax purposes. If you sell it, it is commercial and should have restrictions on how it's held and transmitted. It's not unreasonable to require part of that process to involve payment to the data originator, as a royalty for the unique data they created. This would also allow those creating the data an easy way to see how it is ultimately used.
>Its not any harder than labeling things for tax purposes.

And how many countries are companies able to skirt through financial engineering?

Yeah, people can create all the rules they want, but I'm more interested in how people plan on enforcing it… because from where I sit, that's where countries are lacking (esp with politicians accepting some kind of bribes/kickbacks/revolving door/election financing/lobbying doors in them all), and it isn't getting any better…

Even when the hardware for brain scans get cheaper and more open, the raw data it self in the hands of the average WeChat/Facebook/Line, user is useless unless one understands how to process it into something useable…

Companies that can attract talent will increasingly start making all the data that they collect public by default… side stepping the pain of data breeches when you keep costs down by making it public by default… how they process it, that's a different story… maybe those companies will get their useds pissed off enough to actually think about their choices of using their platforms and not use them… though, that last part seems increasingly unlikely.

I don't believe that's at all what the OP meant by:

> "Other entities should not be allowed to keep or trade information about individuals without paying them directly.

I interpreted the comment to mean if I subscribe to say Hulu they are not allowed to sell that information to third parties and also if I cancel my Hulu account my data is not kept around since its no longer needed.

> It's like a hospital mixing up the labels on saline and hydrogen cyanide

I don't even think that's a strong enough comparison. It's more like a hospital not bothering to label their bottles at all, and then go "oh, sorry about that" when the inevitable happens.

If you think that is bad, you should read about the Toyota "unintended acceleration" case from several years back. It's a preview of exactly what will occur when the first self-driving cars hit the road. Toyotas gross negligence (through following standard business practices still in place and still followed by every company you can think of) surrounding software development resulted in the deaths of multiple people. And the courts tossed up their hands and said "we can't convict them of criminal negligence because there are no standards when it comes to software that they broke."

Hire the cheapest 'talent' you can find, refuse them training or the tools or environment or time needed to do a competent job, and give an MBA the reins to ignore their concerns and protests but push something out the door. It's a recipe for disastrously flawed systems and big piles of money for executives.

I thought the unintended acceleration issues had been largely disproven as user error.

That is, many other brands of cars had been reported to have the same issues by drivers. And basically a driver was put into a stressful situation, thought they were hitting the brakes, but were actually hitting the gas. Then, panicking that they can't stop the car, hit the "brakes" harder, exacerbating the problem.

I don't think this is true. If you google for toyota and misra (a C coding standard for safety-critical systems) you can find many reports on an audit that was performed on their code and the _many thousands_ of violations that were found.
There may be a bit of both at work here, because I remember seeing a lot of issues with hacking the Prius at Defcon[0], but I vaguely recall the SUA incidents being mostly related to as pedal misapplication.

I know Wikipedia isn't exactly a great primary source here, but:

> From 2002 to 2009 there were many defect petitions made to the NHTSA regarding unintended acceleration in Toyota and Lexus vehicles, but many of them were determined to be caused by pedal misapplication, and the NHTSA noted that there was no statistical significance showing that Toyota vehicles had more SUA incidents than other manufacturers.

https://en.wikipedia.org/wiki/Sudden_unintended_acceleration...

In any case, I believe companies can definitely be guilty of criminal negligence (and Toyota did a lot of bad things during their SUA crisis). But I think the use of SUA in the comment I originally responded to sort of misrepresents the situation and mostly spreads a lot of FUD around self-driving cars.

[0]: https://www.engadget.com/2013/07/28/auto-hacked-ford-toyota-...

IIRC Toyota did have a real problem with clearance between the accelerator pedal and (their own aftermarket parts) floor mats. It was possible for the pedal to be wedged against the floor mat.

I don't think that was conclusively shown to the cause of any of the incedents though.

Posting my long comment here because the Disqus bot and I don't get along for some reason.

Troy, I think you have done a lot of good for infosec. Thank you. Here are my thoughts: You will be in a room full of lawyers. Examples that they understand are important. For example, (Full credit to @strandjs 2017 DerbyCon keynote) in the Crowdstrike v. NSS labs case, they sued to prevent "third parties to access or use the products" and prohibited "any competitive analysis on the product".

Sorry to get into the weeds here, but the TL/DR is the following.

- Delaware District court Judge Gregory Sleet's ruling supporting product performance assessments.

- Government funding to support projects like ModSecurity that contribute to US economic security.

- Whitelisting (that works) is the future.

Today's security vendor marketing seems to have a free pass to lie. Thankfully, on 2017-02-13, Judge Gregory Sleet of the Delaware District court ruled against Crowdstrike writing "The consumer review fairness act of 2016 underscores the public's interest in performance assessments. The new law voids provisions of form contracts that restrict a party to that contract from conducting a performance assessment of or other similar analysis of..." "The court finds the public has a very real interest in the dissemination of information regarding products in the marketplace." It goes on to say if NSS's data is inaccurate, Crowdstrike could publicly rebut that data with evidence and the public would benefit from the exchange helping inform the public if they should trust future NSS reports. He concludes "the public interest weighs strongly in favor of denying Crowdstrike's motion." https://www.csoonline.com/a...

Security is hard. I have been researching the Apache Struts2 exploits that Equifax was hit by. Assume another vulnerability like this exists right now. It could be Struts or some other web framework. Webshells used in the Struts hack are really hard to stop for many reasons. As far as I understand, if ModSecurity's open source web application firewall was installed and properly configured (not a simple task), the CRS (core rule set) would have prevented the Apache Struts2 exploit from working. Open source projects that make major contributions to protect United States national and economic security should receive more support and funding.

As a recognition for the contribution of all open source, Richard Stallman and Linus Torvalds should be recommended to receive the Presidential Medal of Freedom.

ModSecurity works by looking for known malicious patterns and blocks them. I hope one day we can get web application firewalls to work well using a whitelist setup. Instead of trusting everything and blocking things that look bad, on highly sensitive systems like Equifax, I hope to see a way to trust nothing and allow traffic that is known good. For example..

import re

def findWords(string1):

  return re.findall(r"\b[^\d\W]+\b",string1)
f = open("apache2-access.log", "r")

data = f.read()

data = data.upper()

answer = findWords(data)

for a in answer:

  print(a)
Now use bash to sort and get count..

$ python3 words.py | sort | uniq -c | sort -n

The next step is to create a modSecurity rule that uses the same regex "\b[^\d\W]+\b" to only allow REQUESTS that contain words that are on an approved list using the @pmf parameter file as in this following example. Note I just started looking into this, so I will leave the rest as an exercise for the reader :)

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf windows-powershell-commands.dat

See github owasp-modsecurity-crs/rules/REQUEST-932-Application-ATTACK-RCE

I don’t know if you lost format or context moving from Disqus but I found this largely unreadable.

Of the parts that were readable, I find myself strongly disagreeing with a majority of your paragraphs, notably:

- I don’t see how Crowdstrike vs NSS has any relevance in this at all, especially given the preamble on Troy’s site. Reasonable people can disagree on the outcome of that case (as a former Crowdstrike employee, I can acknowledge my own biases there), but I just don’t see how it’s relevant.

- Similarly, I don’t see how formally recognizing Torvalds and RMS does anything meaningful, and I can think of a dozen other researchers who have had objectively more concrete contributions to SECURITY than those two.

- Whitelisting every url pattern isn’t going to ever be a viable solution - in large part because the white lists will eventually be regexes and people are bad at regex.

Replying to own comment..

whitelisting with modsecurity tutorial...

https://www.netnea.com/cms/apache-tutorial-6_embedding-modse...

Step 8: Writing simple whitelist rules "Using the rules described in Step 7, we were able to prevent access to a specific URL. We will now be using the opposite approach: We want to make sure that only one specific URL can be accessed. In addition, we will we only be accepting previously known POST parameters in a specified format. This is a very tight security technique which is also called positive security: It is no longer us trying to find known attacks in user submitted content, it is now the user who has to proof that his request meets all our criteria."

"Our example is a whitelist for a login with display of the form, submission of the credentials and the logout. We do not have the said login in place, but this does not stop us from defining the ruleset to protect this hypothetical service in our lab. And if you have a login or any other simple application you want to protect, you can take the code as a template and adopt as suitable."

SecRule REQUEST_FILENAME \ "@rx ^/login/(displayLogin|login|logout).do$" \ "id:10250,phase:1,pass,nolog,tag:'Login Whitelist',\ skipAfter:END_WHITELIST_URIBLOCK_login"

# If we land here, we are facing an unknown URI...

Mandating specific practices with regard to technologies is probably not possible, but we can certainly come up with a general framework for deciding the degree of recklessness. For example, the penalty for allowing data to be stolen via an exploit for which a security fix was issued months prior should be more severe than via a zero-day.
Staying with accountability. The source of the vast majority of these attacks are from China, Russia, and Eastern European countries. Why shouldn't the people commiting the crimes be punished? Currently those governments and crimals almost always get away with it. There is no punishment for bad behavior. As most of us being technical engineers on HN know it is nearly impossible to completely prevent a breach or attack if a savvy group wants to put in the effort and time.

I'm not saying that Equifax and equivalent companies were not grossly inept and incompetent, but eventually we have to start putting pressure on the criminals and reduce the incentives. Cyber crime currently does pay. Extremely well.

There are already enough laws covering the unauthorised use of computer systems.

The US Congress (and for that matter European Parliament) are limited to acting upon companies and people within their borders.

Who should you go after? The people that keep stealing drugs from the pharmacy, or the pharmacist who keeps the keys to the drug locker on a chain beside the door.

> Currently those governments and crimals almost always get away with it.

> but eventually we have to start putting pressure on the criminals

Hmm. On the one hand you are certainly right - but on the other hand I'm sick of the consequences of decades of US interventions in foreign countries. To make stuff worse, China, Russia and Eastern Europe is, basically, one block. If the US were to intervene in ANY of the countries, and if only with economic sanctions, I can easily see either a hot war or more stealthy "counter interventions" like the Russian support for Trump on the horizon.

Pressure and (military?) intervention only really works against tiny/poor-ish countries in Africa and Southern America. The rest can do whatever they want and are accountable to no one.

While I agree that accountability matters, I believe you are stripping blame from U.S. actors when there is blame on the U.S. front as well. To think our country doesn't do these exact same things to other nations is blatantly ignorant.

It has been proven that U.S. agencies hold flaw information so that they may use it against foreign or domestic actors rather than informing the entities responsible for these vulnerabilities or the greater public.

This is truly a global issue and it is a mistake to focus blame on any singular nation states. You must not let the U.S. propeganda machine cloud your judgement.

Penalties would need to be based on the size of the company or breach, otherwise this would result in smaller companies being unable to risk competing, right? If effective features or revenue require user data collection, but smaller companies are terrified of data loss, they're less likely to compete.

Admittedly, smaller companies will have minuscule teams and probably an increased risk of slipping up, but also smaller databases to lose or target. But I don't like the idea of only the largest companies having the ability/confidence to power on.

If Uber is getting a $20k fine, I doubt that's a deterrence for them, but it would be for a tiny startup.

Penalties need to impact CEO compensation. Punish them with a $200K max cash salary and no options or security instruments to get around the penalty.
No, just make them pay the fine directly, lose their jobs and right to be company directors, and bad cases, where they turned a blind eye, actually go to jail.
Let's say that Party A collected private data as in your step 1. Then Party B stole that data as in your step 3.

Do you punish at step 3?

Party A's step 3 is Party B's step 1.

I don't much see the difference between them.

What if Party A willfully gave the data to Party B? No punishment? Equifax is a good example of Party B in this case. Can't we punish all the Parties A?

not just big bucks. Jail time for those responsible of oversight in terms of data security sounds very appropriate. Call it jail or something else, but it needs to impact individuals and not just company money, and it should have dire consequences on their future job prospects in that field.
Accountability is a petty side show. Who, in the first place, gave the providers consent for all this, and who appointed them owners of PII?

There is a gross lack of information and consent, and a violation of the proper ownership of PII, which should be with the user. Right now data is collected under the cover of overly broad user agreements that are never read, if even that, and data is dispersed among third parties without further user knowledge. The user is completely in the dark. They did not really agree with the collection of data, and cannot really see what was collected, where it ended up, and how it was used, not even at an aggregate level. Furthermore the user finds it very difficult to withdraw, even if they had actually given informed consent, since it's so hard to delete anything off of premises you do not own. It's a distraction to talk about how to punish people for not safekeeping something they stole from you in the first place.

After all, a so-called "breach" is just one thief stealing from another -- would you expect a thief to care that much on your behalf?

Fully agree! This is the important point to stress here in my opinion. Was a bit surprised to not see more comments about this aspect of the problem here.
I'm not a big fan of contracts of adhesion. I think that to give up important rights by contract should require a correspondingly conspicuous degree of solemnity, not a link at the bottom of a web page to terms of service that state they can be changed at any time by one party.

But the reality is that no matter how much contractual solemnity you require to let other people trade in your personal information, most people will do it in order to get credit. If to get a home loan you had to copy down a contract giving the bank the right to do credit monitoring in longhand with a fountain pen and sign it sixteen times in your own blood, my guess is that people would still be doing it, because credit monitoring really does make loans cheaper. So as a practical matter, I don't think the Equifaxes of the world would go away if the problem you point to was solved. Whereas there's no reason they shouldn't at least internalize the cost of losing your information through incompetence.

"I do not think the government should mandate specific practices; it's too complicated, too fast-changing, and too hard to police."

I disagree.

Breeches are inevitable. "when", not "if". Today, for interop, all demographic data must be stored as plaintext, because we don't have national identifiers.

The only fix is to issue globally unique identifiers. Then we can encrypt demographic data at rest. Greatly mitigating the damage of breeches.

That's why we need a federal level solution.

The only fix is to issue globally unique identifiers. Then we can encrypt demographic data at rest. Greatly mitigating the damage of breeches.

How does that follow? I work in a country with such identifiers, and I don't see the connection.

By the way, just because such identifiers exist, doesn't mean people are keen on giving them out to every company, and in fact, asking and storing it is frowned upon by our national data protection commission, unless you have a good reason to do so (just like any other personal data).

Just like passwords, you don't store the identifiers as-is, which is a rule that is easy to explain, enforce.

Translucent Databases: Confusion, Misdirection, Randomness, Sharing, Authentication And Steganography To Defend Privacy

http://a.co/hTfRPP9

http://www.wayner.org/node/39

There is no need for a single centralized identifier. Each need for an identifier has its own requirements, things like ensuring a person has been served only once, ensuring every person has been served at least once, ensuring every participant meets some criteria, etc. There is no need for, for example, the social security administration to be able to cross-reference with the drivers license registry. It makes no sense, and would be pretty dangerous, to create a single identifier that invites cross-relation of a persons entire existence into an easily-profileable bundle.
You perfectly articulated the opposition to Real ID. I usedto share your views.

Then I created regional health exchanges and worked in election integrity policy (voter registration databases).

Without guids, there is no way to both link demographic records across systems AND encrypt those records at rest.

I’d be okay with a handful of id (guid) issuing authorities per use case. Voting, health care, pension, etc.

I very much wanted infratructure for faceted identities (personas) which could not be correlated. But now I don’t think such a thing is possible. I believe, but cannot prove, that Big Data will always win the privacy vs deanonymization arm’s race.

PS- Corps like Facebook, Lexis/Nexus, NSA, etc have already uniquely identified everyone living and dead. My proposal daylights that fact, restoring power to the people, and insisting that our data is encrypted at rest.

+1. The debate needs to be reframed. Right now we implicitly accept that corporations have a right to scrape and store our sensitive personal data with zero regard for security best practices, and we hem and haw over what the penalty should be, if any, when the leaks inevitably happen.

We need to look at it from the other direction. Leaking personal data harms consumers. If you do it and are shown to have been negligent, there should be a meaningful penalty. The legal/financial calculus needs to force corporations to take this stuff seriously, or not at all.

Corporation X does not have a right to exist in the future just because its business works in the present.

You have the key points: Some significant (edit: strict, not negligence-based) liability for data breaches is the key. And regulation of security practices is the worst idea ever; it will ossify current architectural mistakes at best and turn into a complete regulatory capture nightmare at worst.

Ideally the liability would actually go to compensate victims (for example, via class action). But even if the government keeps it it might be better than nothing.

A potential improvement would be to require companies to carry insurance (or be able to solvently self-insure) for the maximum possible liability if all the personal data they store was disclosed. That way a company like Equifax has to price the full risk of the data they store even if it is larger than their whole market cap. And the insurance industry might learn to do some due diligence, and be a source of "regulation" with much better incentives to be optimal than a government regulator has.

If we were to implement some form of insurance, I worry that executives who make bad decisions about user privacy won't ever see jail time. This needs to be something you can go to prison for.
Criminal law is a very blunt instrument, and for good reason is usually reserved for deliberate actions, not mistakes. If you want to make willfully concealing a data breach (to avoid liability or just bad publicity) a crime, that would be pretty reasonable.
We have laws for criminal negligence. If a company is building a bridge and the CEO ignores warnings from one of their engineers, or deprives them of the tools necessary to do their job, or hires inexperienced engineers because they are cheaper - that CEO goes to prison. This should be the case for any company which deals with the public. White collar crime causes more economic damage and kills more people every year than street crime does, but we punish it as if it doesn't matter and such crime has become utterly normalized and it needs to be stopped.
Sorry, I just don't agree. Strict liability is where it's at, because the reality is that standard practice in these matters is very risky, so you're never going to be able to pin negligence on anyone even in a civil case. Making companies fully internalize the expected cost of data breaches will actually solve the problem, even if it doesn't make you feel as good. What you propose will most likely be totally ineffective, and even if it does anything it will just be to create some kind of wasteful butt covering behavior totally orthogonal to actually solving the problem.
Perhaps a more pragmatic solution would be like truth in labeling laws on food cans. I.e. the company collecting your data must explicitly say what it is collecting, in a standardized format specified by the government.

Like if an app is going to transmit your email address book back to headquarters, it must specifically disclose it is doing so, otherwise the app maker is subject to enforcement action.

That won't solve the problem, because there are plenty of good reasons for people to share information with companies that they don't want to share with everyone. In the case of the Equifax breach, people shared personal information with their lenders; do you think they're going to stop doing that if they're informed?

See also my reply to @pishpash below.

(comment deleted)
That's effectively what the European General Data Protection Regulation covers.

The good news for European citizens is that global organizations are accountable for safeguarding their data. The good news for global citizens is that European organizations are accountable for protecting their data too.

The gap? Non EU custodians of non EU citizens' personal data.

That's a big gap!

We need a Global Data Protection Accord.

Do you really think China and/or Russia would ever get in line with something like that, given that they're responsible for (or at least turning a blind eye to, in the cases where it's not government-sanctioned) almost all of this crap?
given that they're responsible for almost all of this crap

Where'd you get that impression? Almost all data public data breaches concern Western companies and Western hackers. And people have been warnings against the lax security standards and worse coding practices for decades.

Your trying to shift the blame to the russkies is just another example of denialism.

I see millions of hack attempts coming from Russia and China every day even on sites that see a tenth of that traffic, and have to deflect them constantly. Who do you work for?
A potential downside to "entirely results-based" enforcement is that companies now have a negative incentive to monitor for and report data breaches.

Why install an intrusion detection system if it could potentially cost the company millions when it triggers? Better just to not know that data was exfiltrated. You don't even have to cover anything up if you never learn there was a problem to begin with.

Twelve months ago I'd have called that a solved problem - c.f. entities like the EPA, OSHA, or NHTSA that conduct results-based inspections and investigations ("how much crap is actually in the water coming out of your pipes?", "was this injury/crash/accident a result of a violation") and come down on violators like a ton of bricks - but the suicide party is doing an excellent job of sabotaging our civilization's guardrails and sawing away at its fall-arrest lines.
Yes and hiding a leak should also be more severely punished.
In the Netherlands we've had a err, meldplicht / reporting obligation for data leaks for a while now. We also have laws about how user data should be protected, and an agency actively checking whether businesses uphold said laws.

It's not complicated for government rulings; the law just states what information is considered private (and this doesn't change too often), and make it obligatory to protect it. Which it already is I'm sure.

Folks seem to like my "polluting a river" analogy in the parent comment. I thought of a related point.

People have said that if there are consequences for losing customer data, companies will be motivated to cover up their mistakes. Part of the solution there would be "whistleblower" laws similar to what we have for OSHA violations. But another part would be legitimizing white hat hacking.

Suppose my apartment has some hazardous problem, like exposed wires. It's perfectly legal for me to notice that and tell my landlord. I can take pictures for proof, and if necessary I can report it to the government. The landlord will not be allowed to ignore me.

If, however, I notice a glaring security problem on a web site I use, there's no government agency to tell. If I tell the site owners, there's a good chance that they can ignore me or even punish me for noticing.

Now, going along with my "results-based" argument, unlike building codes, we don't want our laws to specify security practices. But if an outsider can demonstrate that they can obtain personally identifiable information from a computer system, the owners of that system should be fined and required to fix it, and the person who found the problem should be legally protected.

Imagine the mess a landlord would be in if somebody died because of a hazardous condition that they'd been notified of six month earlier. Now imagine that web sites were held to the same standard. "You had a massive data breach, and this security researcher has proof of notifying you six months earlier of the vulnerability. You're in big trouble."

I love the polluted river analogy.

You often hear today that "Data isn't oil" but from a breach perspective it is a good analogy when considering its toxicity.

> Folks seem to like my "polluting a river" analogy in the parent comment.

Yes, definitely!

Eben Moglen makes exactly this point in his lecture, Snowden and the Future Part III. He puts it as privacy being 'ecological not transactional', and uses 'pollution' as you have.

I can't resist an extended quote; Moglen puts it very eloquently:

> Those who wish to earn off you want to define privacy as a thing you transact about with them, just the two of you. They offer you free email service, in response to which you let them read all the mail, and that's that. It's just a transaction between two parties. They offer you free web hosting for your social communications, in return for watching everybody look at everything. They assert that's a transaction in which only the parties themselves are engaged.

> This is a convenient fraudulence. Another misdirection, misleading, and plain lying proposition. Because — as I suggested in the analytic definition of the components of privacy — privacy is always a relation among people. It is not transactional, an agreement between a listener or a spy or a peephole keeper and the person being spied on.

> If you accept this supposedly bilateral offer, to provide email service for you for free as long as it can all be read, then everybody who corresponds with you has been subjected to the bargain, which was supposedly bilateral in nature.

Full transcript+video+audio at http://snowdenandthefuture.info/PartIII.html

“Seems like the only winning move is not to play.” - WOPR
You just summarized the principle of GDPR legislation across the EU, coming into effect May 2018.

Fines of up to 4% of global revenue of the offender.

Looking forward to massive lawsuits against Facebook, Google, Uber, etc.

> When a CTO says "let's collect geolocations", the CEO should should have legal and business reasons to say "no way, it's not worth the financial risk of losing them; it could destroy our company."

Sounds like the EU Data Protection law, which says you need a legitimate reason to store & process personal data.

The government shouldn't mandate any specific practice, but they could create a regulation. You lose people's data that you use for identification, that data can no longer be used for identification. If it is used, you are liable for any damages caused by a false identification.
The CEO and company management should eat their own dogfood. Their personal data should be stored in the same insecure systems as their victims.
I don’t think LifeLock’s founder regrets making his Social Security number public. Sure his identity was stolen over a dozen times [1]. But he made millions. Making businesses liable for data loss is the only stable long-term solution.

[1] http://www.businessinsider.com/lifelock-symantec-ceo-identit...

Was it stolen because he literally broadcast it, or because it was stored in his service? Big difference.
Point is the cost of putting his information at risk outweighed the benefits he derived from the company.
A similar thing happened to Jeremy Clarkson of top gear fame in 2008 when he said the theft of bank numbers wasn't a big deal and published his bank details.

Someone donated £500 to a charity on his behalf to prove him wrong.

http://news.bbc.co.uk/1/hi/7174760.stm

The article says: “Incidentally, I've decided not to mention specific data breaches but rather to focus on the patterns...”. When trying to influence people who won’t be subject matter experts, I tend to think the opposite approach would be more effective. People readily latch on to tangible examples of what goes wrong, and while legislation is too often a knee-jerk reaction to single events for that reason, here is a chance to use that phenomenon to your advantage. If my measure of success was positive influence rather than pure education, that’s how I’d go.
I would seriously consider taking the list of Congresspeople who are going to be running this hearing, extracting out the information you already have on them from your dumps, and preparing them a personal sheet of paper for each one showing them what you have about them online.

If it's in public, you can't read it to them, but you might be able to hand it to them personally.

This will be far more powerful than almost anything else you could do. It's not a problem "Americans" have... it's a problem they have.

Produce that list with a note next to each piece of info for which company lost it...
And when. And the lag between when the breach occurred and when the public was notified of the breach, along with all relevant information the company provided to help customers determine the extent of their information that is now public.
I think sharing congresspeople's private login information from leaked sites as public record would light a useful fire under their asses.

If its already freely available on the dark web, the bad guys already have this data. Might as well level the playing field and make the public aware of the extent of the issue.

At least prepare the number of .gov and .mil accounts that have been compromised, huge blackmail risk for people who have access to top secret info.

You'd want to be careful doing that. When people are upset, they sometimes shoot the messenger. It seems to happen a lot in security.
Francesca Polletta's book "It Was Like a Fever" brings forward some really interesting points of discussion about storytelling as a political device.

Some relevant quotes from the text:

"If the fact that everyone can tell his own story makes it easier for people to challenge the assurances of the powerful that certain policies are to everyone’s advantage, the fact that narrative is seen as less authoritative than other discursive forms may weaken that challenge."

"We are ambivalent about storytelling, not dismissive of it. There is a strong vein of skepticism toward professional expertise in American culture. Against that skepticism, the authenticity of personal storytelling makes the form trustworthy—sometimes more trustworthy than the complex facts and figures offered by certified experts."

"...those wanting to effect social change must debunk beliefs that have the status of common sense, familiar stories are more obstacle than resource."

"when feminists brought sex discrimination suits against employers, they struggled to prove that women were underrepresented in higher-status, traditionally male jobs because they were discriminated against and not because they had no interest in those jobs. Arguing that women wanted the jobs put them at odds with a familiar story in which girls grow up to want women’s work, and men grow up to want men’s work. To judges, feminists seemed to be saying that women were just like men, something that flew in the face of good sense."

I think there are really only two possible ways to fix the problems with data breaches.

1. Impose a fine for every individual account leaked. Even if it were only $10, the recent Equifax loss of 143 million records is a $1.4 billion fine. It should probably be higher if gross negligence is involved. This would create a new industry (data breach insurance).

or

2. Make it so simply having all the leaked information on an individual isn't enough to cause any harm. I'm specifically thinking of some PKI-based scheme where I verify my identity by signing something with my private key.

There may be other variations, but the choice seems to be between forcing data brokers to be responsible or make it so that their irresponsibility is harmless.

How do you get a grannie to use a public private key cryptography? It would probably have to be a physical device.
Yeah, some kind of card. I think Estonia was issuing something like this.
FWIW data breach insurance exists and is relatively inexpensive since breaches are rare and cheap to remediate. These changes would have a profound impact on that market.
Social Security Numbers are broken as a "unique secure identifier". We need some sort of certificate-based solution.
Treat it like HIPPA. You will will be banned from doing business if you fail to secure data properly.
I'd love to see a discussion around data breaches with the use of public records laws. There's a huge lack of responsibility and auditing around it, which lead to large batches of information being wrongly released to the public. This is a systemic problem whose fix likely sits somewhere within a strongly enforced legal process and accountability framework.

For example, when Seattle accidentally gave me millions of emails: http://crosscut.com/2017/10/seattle-information-technology-d...

I'm happy to see that the context for this testimony is related to ID verification. The bank example Troy gives is a simple & understandable problem that we all can wrap our heads around (Congress too!), which provides a concrete scenario to explore.

The way I always approach this problem is one of ownership. Congress, implicitly, assumes that individuals own their data. That is why it used to be possible to ask individuals to prove their identity by asking them to verify data they own, and presumably, haven't shared too broadly.

Identity theft is really a robbery then, because data which belongs to you is stollen. The government's opening position then needs to be that data belongs to consumers.

What isn't clear is the physical metaphor for what happens when you give your data to a third party, explicitly or implicitly. Am I 'leasing' my data to Facebook? Am I granting them shared ownership? Or is it more like a Bank... I'm allowing Facebook to "re-invest" my asset, they can make money off of it while they have it, but in exchange, they have to keep it safe.

I personally really like the Bank metaphor, and like banks, you can get certified as safe by the government to be a Bank, and have that certification taken away... We already have data protection rules like this in BTW, called HIPPA

I think I also agree with @nathan_long's point, in that perhaps the government shouldn't be concerned with the how data is kept safe, but rather than track breaches and complaints... that would be what leads to a revocation of status.
(comment deleted)
I have one area / worry that I would like Troy to introduce as a question and to give his advice / opinion as a subject matter expert:

1) The role and responsibilities of security researchers in discovering and investigating data breaches (maybe also discuss the spectrum from white-hat to black hat, yet the tools they all use are effectively the same).

2) The role and responsibilities of journalists in reporting the said breaches.

3) The impact of laws and litigation leveraged by governments and corporations to protect themselves in the event of data breaches.

4) Why a fair and happy balance between the interests of 1), 2) and 3) is a necessary part of mitigating and reducing the possibility of data breaches along with unhappy examples and their consequences.

I'll admit that four questions above are a kind of scope creep to the intended discussion, but my concern is pretty real. The laws and norms that we have today, while imperfect, are the reason why Troy is being asked to appear as a subject matter expert. Whatever the laws and norms of the future are, they will need to sufficiently flexible to allow future subject matter experts to learn and operate, so that they too can make meaningful contributions to the issues of their time.

Edit: formatting

> I'll admit that four questions above are a kind of scope creep to the intended discussion

I think they are absolutely relevant, specifically around the context of disclosure. Frame it as "people shouldn't be afraid to report crimes or vigilant in watching for them" and you can get support. Yes, Troy should make it clear how he and his ilk are chilled by these same offending companies.

Not to forget the DMCA anti-circumvention provisions which make it illegal to report on security breaches you discover on your own devices.
tell them to return to paper voting
Shouldn't consumers have privacy and anonymity by default? Unless there is a specific, explicit permissions to collect data that can be personalized it shouldn't be created.

Its fine for companies to collect basic usage and telemetry data--but when they start personalizing it without a user's permission/consent (i.e. when they start tying it together with personally identifiable information [as Facebook and Google do] then it becomes weaponized and can then do great harm to individuals. Privacy by default--and anonymous by default would essentially prevent this.

It should be illegal to use knowledge of ID numbers to authenticate things that will effect your credit report.
One thing to make clear about the Equifax breach is that it wasn't caused by a single security update that was never applied, as has been put forward by Equifax. It was caused by an insecure information architecture that let web front ends have direct database access. Good security requires defense in depth, not an unbreachable perimeter. Equifax's security was a failure long before it was hacked.

Obviously the technical details may not be the appropriate level to discuss with Congress, but an analogy that they can understand might be helpful. What Equifax did was the equivalent of keeping the country's nuclear codes at an outpost in Afghanistan and then blaming a sentry for falling asleep when an enemy slipped in and stole them.

- Current penalties do not weight the cost-benefit equation sufficiently to overcome the financial and agility costs of implementing strong data security policies.

- Current remedies are designed for the convenience of the entity (write a check to a credit monitoring service and issue a public apology). The burden of action remains on the person whose data was collected, possibly without their knowledge or consent.

- Lack of accountability. It is difficult to overstate the impact of a breach like the Office of Personnel Management's SF-86 database, or any of the NSA leaks. That degree of negligence could arguably have been treated as a treasonable offense.

Troy you have bulleted out most items of interest, I would also advise you to add mitigation methods: as a computer scientist I am shocked that more conglomerates are not legally obligated to encrypt information and also ensure that information is only decrypted while it's being used and looked at. Data that is not being currently used should be hashed and inaccessible to someone without the credentials (unless you're the NSA and have the brute force to work the search space). Data, like a person's address and social security number, can be encrypted such that we only need a small portion of the correct data to decrypt the entry, but we need to tie the ends of the conversation together: "can I have your secret answer and last 4 digits of your SSN?" should actually initiate the decryption of the data, and should be a real preventative layer instead of just a delay for the clever social engineering ploy.

So please recommend that conglomerates be forced to encrypt data in ways that protects the vast majority of accounts in case of a data breach.

Thanks a lot for taking the initiative to ask the community, regards to you my friend in freedom.

That CEOs should be accountable for lazy security.

That everyone does security theater, no one does real security. Mostly for convenience to marketing data is not encrypted in REST, data is not segmented into different data stores (own store for passwords etc.) but stored in the same MySQL database, employees can dump millions of records instead on one-record-at-a-time, people let fly unencrypted Excel sheets everywhere etc.

Why? What does a CEO know about InfoSec? Why make CEO's punching bags for fields they aren't experts in?
What does a CEO know about accounting? Should they be held liable for irresponsible accounting practices performed by their subordinates if they are not an expert in accounting?
Then they manage the company and make sure they have someone in charge of overseeing InfoSec that does.
My personal opinion is that in order to make sure that breaches like the Equifax one are preventable and handled correctly, these measures should be imposed

1) An entity storing personal data, must be audited by a government approved 3rd party and their rate must be made public. 2) Any breach (or suspicion of a breach) must be reported to this 3rd party within 24 hours.

The issues I saw with the Equifax breach was that there was NOTHING that told us how bad their security was and they were allowed to not report the breach for a month.

Extend existing product liability/tort legislation to data privacy.

Product safety in the US is the world standard precisely because plaintiff attorneys extracted enough cash from manufacturers that shareholders, banks, investors, board members and insurers forced reform.

Make failure expensive. Limit liability for small business. Make officers personally liable in cases of gross negligence.

This and about 5 years will deliver results.

(comment deleted)
Tell them you have their private browser history.