The SEC selectively enforcing the rule does not prohibit a shareholder suit against the company. "Everything Everywhere Is Securities Fraud" after all.
Additionally, while not specific to this SEC enforcement action, corporations also have to think long term, just because this administration is not enforcing laws, doesn't mean the next one can't reach back and do so, the laws are still on the books after all.
Have their been any GDPR fines that amount to more than a rounding error of Oracle's revenue? Admittedly, I don't watch too closely, but from the ones I am aware of, I haven't seen any GDPR fines that made me finally think "wow, that might actually count as a punishment". (I would honestly be happy to learn of some!)
There are disclosure laws in the US as well, but again, the fines are like a days worth of revenue. Maybe the breached company has to provide a year of credit monitoring for the affected persons, if lucky.
Several of the fines have been in the hundreds of millions of dollars - and while not crushing to Oracle, that's actual money that will definitely change behavior..
https://www.enforcementtracker.com/
Many of these are against public bodies... Hundreds of pages with lawyers back and forth for in the end money going from one part of the government to another...
The largest fine ever issued is about 2% of Oracle's 2024 revenue. If we average the top 5 fines ever issued (this breach surely wont result in the largest GDPR fine ever), it'd be about 1% of Oracle's 2024 revenue. So, between ~3.5 and ~7 days worth of revenue, if we're lucky and get a top 5 GDPR fine?
I'm not sure that is in the "definitely change behavior" area yet (in fact, I'm confident it is not), but better than I thought.
If this breach receives a fine in the top 5 fines ever issued in the entire history of GDPR enforcement.
Don't forget to subtract out the money they saved from reduced investment in security over that time, as well.
Noticeable? Sure. Nowhere near noticeable enough, though, in my opinion. Especially if we're serious about it and recognize this isn't going to be a top 5 fine.
Presumably if it's due to negligence (ie intentional lack of investment) it will happen again if the underlying issue isn't fixed. So you have to factor that in.
If it happens repeatedly presumably the percentage will go up.
I think the only way this gets written off is if saving the money opens you up to such a low level of additional risk that you don't reasonably expect the event to happen more than once (if ever). But if the risk level is actually that low (I don't believe this to be the case, just playing out a hypothetical here) then arguably they wouldn't be in the wrong.
To put this in regular person terms, 3% of a 6 figure salary is $3k. That's more than enough to get most people's attention.
We rightfully see corporations as amorphous entities but I wouldn't like to be the VP/director that this fine gets blamed on. As probably don't other adjacent management staff.
Right - comparing it to a percentage of revenue ignores the managerial aspect of someone having to explain to their boss or to Larry why the $100M budget they manage is going to be 100% over.
They're not fines though if no money changes hands.
So far very few if any of these supposed penalties have actually been paid.
There have been a few good articles published about the total Euro amount of "penalties" and actual enforcement actions, and the ratio is something like 100:1 or worse.
According to the GDPR enforcement tracker link helpfully provided by the sibling commenter, we'll be lucky to see a ~1% fine of the 2024 revenue of Oracle. That's assuming that the fine issued is in the top 5 GDPR fines ever issued. Even 4%, the cited higher maximum on your link, is kind of peanuts (not sure this breach would even qualify for the "higher maximum", as I'm unfamiliar with the laws, so it could be a maximum of 2% if counted as a "standard maximum").
To me, that's still in the "cost of doing business" territory, not the "punishment" territory.
Have they ever issued a fine for 4% of revenue? That's the maximum fine possible, under the non-standard "higher maximum" category. This breach surely won't be given the maximum considering there isn't really anything noteworthy about it.
We should consider the maximum that has actually been issued, than subtract some off of that. You also have to subtract out all of the money they saved over the years of reduced investment into security.
I think that lands us squarely back into "cost of doing business" land.
It's impossible to take their fears seriously—literally any kind of social obligation is going to be scary for an entity with no desire to do anything but feed its owners.
Wait until you see what kind of reaction 40% gets! Existential threats will be the only things that work.
> In the EU under GDPR you have to disclose within 48h
72h actually, but yes, data protection and breaches to sensitive personal information is taken very seriously in the European Union and its legislation.
Not in the US maybe. In the EU under GDPR you have to disclose within 48h of you realizing (or made aware of) the breach.
There are fines (at least) if you don't disclose it afaik.
Oracle is gonna have issue with the EU, most likely.