alt Hacker News> I wish there was a law that assigned a dollar value to different types of PII leaks
There is. It is called GDPR.
Plenty of companies have been fined for leaks like this.
Some countries also have whistleblower bounties but, as you might expect, there are some perverse incentives there.
Replies
The GDPR (in art 32) only requires that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". I expect it's quite common for a company to get hacked even if they meet that level. I think the parent comment was imagining that any leak is automatically fined, regardless of whether the company had met some security requirement.
Does GDPR mandate a payout to the researcher after disclosure?
The GPDR makes it so small companies need to hire expensive lawyers to be compliant (and you still don't know for sure, based on the laws)
How about fining individual developers with poor coding practices?
Yeah, as an American, I'm jealous of many aspects of GDPR. I really appreciate you blogging / tooting about experiences protecting your rights under GDPR. I wish we had 1/10th of the consumer privacy protections you have.
How does security research like this work out in practice, in the EU?
I read a lot of vulnerability writeups like this and don't recall seeing any where the author is European and gets a better outcome. Are security researchers actually compensated for this type of work in the EU?