The action that a business should be punished for is not keeping their customer's information secure. Paying a ransom to recover after they are the victim of a crime should not be what they are punished for. If they were doing everything right but still got hit by ransomware I don't think they should be punished. If you can prove that they wrote their login info on a sticky note and left it in the main lobby then you should punish the bad security practice if it exposes other people's information.

Several parts of the world have kidnapping and piracy issues, and you can buy kidnapping/piracy insurance to pay ransoms in case you are the victim of such a crime. I think most people in the world acknowledge that sometimes bad things happen even when you take reasonable precautions, and you shouldn't be punished just because you were the unlucky one. Most security experts agree that no computer system is un-crackable, there are just varying levels of sophistication and access needed to do so. We've even seen that Stuxnet was capable of jumping air gaps. If a business had such good security that their database and backups were air-gapped but still was hit by ransomware do you think that they should still be fined?

Sure, Maybe they could do more.

Could they have done more with the resources they had? Would taxpayers/stockholders fund it? Would a small business have the cash flow to do better? If they were told it was secure from the tech folks, would the non-tech folks have any way to prove this wrong?

It is really easy to say after something happens that they weren't doing things right. It isn't always so easy before things happen to know if things are done correctly, though. And trying to figure out what isn't worth it to the criminals is rather difficult. Some folks do quite a bit for an otherwise small amount of money, especially if they feel the victim "deserves" it.

> Would taxpayers/stockholders fund it?

And who pays the ransomware when it happens, if not the taxpayers/stockholders? Or does money just get created out of nothing when needed?

> Would a small business have the cash flow to do better?

IME small businesses can do it if they want to. It takes care, meaning policies, it's not expensive. Also small businesses are less attractive to large criminals.

> If they were told it was secure from the tech folks, would the non-tech folks have any way to prove this wrong?

If they got publicly ransomed, it would become very obvious something needed looking at. The process of potentially hammering them legally would involve them being taken to court where their level of culpability would be decided (and it may be they did do enough so get let off, and everyone can see what happened, and other businesses can decide perhaps to up their security based on the results).

These are all strawmen. I'm not asking for uncrackability, merely due diligence. A little of that goes a long way. These arguments don't stand up. You seem to be arguing for... what?

> And who pays the ransomware when it happens, if not the taxpayers/stockholders?

considering the order of magnitude of place that do not receive a ransom compared to places that get ransomed, the cost is probably on the security side.

> These are all strawmen. I'm not asking for uncrackability, merely due diligence.

but you apparently define due diligence as "not getting cracked," which while different from uncrackability is still an unfeasible demand.

> considering the order of magnitude of place that do not receive a ransom compared to places that get ransomed, the cost is probably on the security side.

And if ransoming is profitable, what does that do to the market? Does it a) inhibit more ransoming or b) encourage more ransoming?

> but you apparently define due diligence as "not getting cracked,"

Don't misrepresent me - here's what I actually said: "The process of potentially hammering them legally would involve them being taken to court where their level of culpability would be decided (and it may be they did do enough so get let off..."

So they can be let off. It says clearly.

An alternative is that by working together with law enforcement you can use the interactions with the criminals (together with tracking the money) to better understand the criminal organizations.

How is this different from making it illegal to give your wallet to a thief at gunpoint?

(obviously here there is the difference of personal harming which correctly resides at a different level; at the same time the stance of non-negotiation with terrorist organization was also justifiable in my opinion.

If what we can agree on is that you must way for the permission of law enforcement before you pay ransom so that they can reasonably confirm you are not inadvertently funding ISIS and also put in place all available precautions that is already a step forward.

Nobody think that paying ransom is a good thing that should be done as soon as possible. At the same time not everything is a nail.)

> An alternative is that by working together with law enforcement...

If we put that on the table, yes, that's a grand idea.

The part I would criminalize is the money-wiring part.