> paying fines rarely, if ever, causes these too-big-to-fail corporations to materially impact them.

That means the fines aren’t big enough. They should probably be scaled according to the business’ revenue.

From a justice perspective, it should be scaled according to the number of customers impacted (and how bad the impact was). Which is likely to be about the same as scaling with revenue.

Justice isn't served if the impact of the penalty doesn't force change. If a company can harm millions of people but the financial damages we can assign to that are lower than the cost savings of the decisions that caused the problem at the scale of a large business, the business only has the logic of finance to care about, and that logic almost always says "wellp that was still the right call"

If our only tool is fines, we must scale those fines not by some monetary definition of the harm, but by what will make the necessary impact on the decisionmakers involved.

I think we should use tools other than fines, like criminal conspiracy liability for controlling shareholders and executives, and the threat of dissolution of businesses to pay out to the victims, but if it's fines or bust, the marginal value of dollars is just on a different scale for these businesses and we should grow the fines accordingly

Needs to be at the level of enforcement by regulatory agencies, large scale lawsuits backed by state governments, and maybe even congressional action

These companies have scale as their moat and that's called a monopoly. We need to be aggressively pursuing corporate malfeasance, closing loopholes, and breaking up companies. In my ideal world the entire doctrine of the "corporate veil" would be overturned, but that seems unlikely to happen without drastic upheaval. Antitrust action and large-scale suits can happen and to some degree those wheels are already in motion, but it would help a lot to stop buying this bullshit about how we should think of this as a "crime" for which we should uniquely blame hackers. These megacorps want to pretend that they and their customers are in solidarity as victims of the hackers. In reality, these companies get hit with essentially none of the consequences, and their practices are most of the relevant causal factors. A better model would be that the customers (and often non-customers on whom they collect data without even the figleaf of manufactured consent) are victims of the companies and the hackers

These companies are so massively large that they price in the risk of databreaches as a cost of doing business.

Insurance Underwriters pour through corpo infosec documents, and require only the most basic level of protections.

I think instead, a stricter certification standard needs to be created, and all these large companies must pass ANNUAL audits, or simply lose access to government leased spectrum.

It seems that we agree that regulatory enforcement is a great framework through which to make this happen. I think we should regulate both security and data retention far more aggressively, and be willing to destroy companies if they fail to comply. The lack of an existential risk makes it easier for them to maneuver around other solutions

> These companies are so massively large that they price in the risk of databreaches as a cost of doing business.

Just make the fine a % of the annual revenue and that will change.