You imply there's no real or minimum responsibility to for a site to afford security. There are no guarantees. But there needs to be oversight. Because there's no absolutely secure oversight then just don't worry about it?Who decides what "adequate" security is?
And there are times that's absolutely appropriate. It's certainly more effective and realistic than declaring the death penalty for hackers. Who decides what hackers get the death penalty? We don't do much with it for murderers. But sure – we can get it for hackers.Your solution is penalizing the victim.
If your kid leaves your car unlocked and someone steals your camera or laptop without breaking in do you not see that as a fail in his part? No because "they" probably would have broken in anyway? You leave your keys in the IGN and somebody steals it – not your fault right? Just make a police report and notify your insurance company. Of course being an honest person you'll tell both about leaving the keys in the IGN. I didn't think so. You leave your toddlers with the baby sitter and when you get home the kids are gone because the sitter didn't lock the door while cruising the 'Net? That's ok? A garage fails to lock up and your car is stolen or vandalized and it's your problem because you don't have insurance? You don't lock your house doors because someone can kick in most residential doors even with deadbolts properly installed? Don't you think your surgeon should have graduated from an accredited medical school? Yes trained experienced surgeons have nicked an artery or amputated the wrong limb. There are no gauntness. But the odds of something bad happening are generally reduced by actually completing a qualified medical education.
Sometimes blaming the 'victim' is appropriate because the 'victim' has responsibilities that were ignored. Yes at some point a hacker will exceed the limits of current security protocols. That a different story.
Nothing I said implied anybody be held responsible for a force overwhelming state of the art security. It will happen. But there are many things a company should to do protect data. Some breaches have found customers passwords and other info stored in plan text. There are two types of security — proactive and reactive. If a company isn't proactive when they should have been they should be held accountable. If a company doesn't react when breached they should be held accountable. And don't wait a year to tell us your company has been breached.
If I use 1234 and password for my passwords and my data is stolen that's on me because I could have used a strong 26 character password. My financial institution uses 1234 or password to access their servers – I'd say they failed to do their job.
Anybody who accepts and stores our information should be held responsible for taking reasonable efforts to protect it from hacking. How would you feel if your financial institutions used http instead of https.
I'm more comfortable with somebody like a State AG checking out a company's security than I am having anybody trying to implement the death penalty for hacking. I am a big proponent of capital punishment but it's not something I throw around lightly.