Or maybe the government should not require companies to KYC you for every little stupid thing or action you do in this world. What happened to requiring only the information that's actually required? Why do I need to be KYCd in the systems when buying banana, ordering delivery, etc.

Because of the inevitable breaches and leaks - KYC is the illicit activity. The selling point of KYC was preventing fraud and money laundering. It doesn't actually do that. Search for "largest money laundering settlements" and you will find 5 banks and one crypto scam.

And 12 months of credit monitoring to go with the 2346823 months of credit monitoring they already have.

Penalties don't work for government agencies. Taxpayers would pay for it and it doesn't act as an incentive.

The way to fix it is to empower one government agency to do aggressive pentesting against every other agency, hospitals, banks, infrastructure, and big corporations, with salaries matching the private sector. Impose a legally-enforced deadline to fix any issues, with a fine (for private actors) or demotion of the guy in charge of infosec (for state agencies).

Forget compliance checklists, KPMG "audits" and all that crap, just have government-sponsored hackers trying to get into everything like an attacker would.

France seems to have had a ton of government hacks in the past year at various levels, so it's sorely needed.

Hey now, don’t forget the offer of “free credit monitoring for a year” - I feel like at this point I’ve gotten so many of those that if I signed up for them all, I’d have my personal info in twice as many probably-hackable locations as I do already.

Wait, you don’t even get a month of free credit monitoring?

Seeing another one of these breaches had me returning to look at local-first software. https://lofi.so

I feel like if we're going to make progress in preventing wholesale data breaches it will be through architectural innovations that attack the problem of why a trove of concentrated data needs to exist. Even if the government needs to be a central authority, are there ways to house the data that limit the blast radius?

I'm sure there are innumerable arguments why this can't help, but when the mainstream alternative is despair and helplessness, progress will be made in the margins.

With everyone doing online “identity” verifications, all these details and more are already available to data brokers. Persona.. I mean Palantir even has a short video of you from your “liveness check” to go with the scan of your ID.

The problem though is when its from a gov agency it validates previous breach data making it more valuable.

> Nothing really new here sadly

Facts at Equifax

These things will never change if the only penalty the company/agency gets is "send a message to your users saying you are sorry and that it won’t happen again".

So, you want the French government to fine the French government so the French government uses French taxpayer money to pay the French government for the French government's mistake?

> if the only penalty the company/agency gets

What is the penalty for the government?

GDPR has solid fines for data breaches, but this doesn't work for government agencies. Just someone else's money going from one government pocket to another. What they need is an automatic firing of the head of the government agency that suffered a breach. No question asked.

Not disagreeing with you, but:

> These things will never change if the only penalty the company/agency gets is

I do not think penalties can prevent these situations. Perhaps they may be less frequent; perhaps people would get more compensation, but ultimately I do not think these can be prevented. The first consideration is why the data has to be stored in the first place. Naturally one can say "the government needs to know who is a citizen and who is not", and I can understand this rationale to some extent, but even then I wonder whether this has to be correct. Perhaps we could have a global society without any requirement to be an identifiable citizen per se. Things such as mandatory age verification-sniffing to never become an issue, because it is not needed and not possible and nobody would have an addiction-need to sniff for that data (we know Meta and co want that data, this is why their lobbyists run rampage via the "but but but somebody protect the children" lie).

[flagged]