Well, for one, you can legally obtain much more detailed information on a person from any background check application currently available. So, it's arguable this has really increased the likelihood of a future crime.
"In criminal law, strict liability is liability for which mens rea (Latin for "guilty mind") does not have to be proven in relation to one or more elements comprising the actus reus (Latin for "guilty act") although intention, recklessness or knowledge may be required in relation to other elements of the offense."
Proving recklessness is harder than you think.
If data is leak because someone within a company with the appropriate level of access decides to sell out to the dark web, all the security in the world won't protect you. Should the CEO go to jail because an employee turned on the company?
Heartbleed - you could have had 100 security professional on your team, and you still would have been vulnerable. Should every CEO on the planet go to jail?
Security persons do make mistakes and leave keys in places they shouldn't, genuinely by accident. Whom is going to jail for this error? If you think you are sending the security personel to jail, well, we're going to have an exodus of people willing to call themselves security personel, because no one is paid enough to risk jail for a job.
So, it's not a matter of defending ineptitude, it's a matter of recognizing the problem is complex and unless you can have clear boundries of what is punishible and what is not, your going to have a bad time enforcing anything that makes a difference. As a security person, I'm sure you know a policy without adequate enforcement is absolutely useless.
The hardest part of data processing is collecting it. If you can just grab already collated data for cheap, then it absolutely is more likely to be exploited.
That's all true, but continually talking about what a hard problem it is as a way to avoid settling on some harsh penalties (financial or custodial) for negligence of various types only perpetuates the problem. Courts can decide whether a harsh punishment should actually apply in any given case. But right now, no such punishments are even defined so there are no strong incentives to minimize negligence and restrict collection and distribution of that information.
tl;dr penal incentives function like a sword of Damocles. As long as we're debating whether and what size of sword of sword to hang from a thread, Damocles has no reason to worry.
"In criminal law, strict liability is liability for which mens rea (Latin for "guilty mind") does not have to be proven in relation to one or more elements comprising the actus reus (Latin for "guilty act") although intention, recklessness or knowledge may be required in relation to other elements of the offense."
Proving recklessness is harder than you think.
If data is leak because someone within a company with the appropriate level of access decides to sell out to the dark web, all the security in the world won't protect you. Should the CEO go to jail because an employee turned on the company?
Heartbleed - you could have had 100 security professional on your team, and you still would have been vulnerable. Should every CEO on the planet go to jail?
Security persons do make mistakes and leave keys in places they shouldn't, genuinely by accident. Whom is going to jail for this error? If you think you are sending the security personel to jail, well, we're going to have an exodus of people willing to call themselves security personel, because no one is paid enough to risk jail for a job.
So, it's not a matter of defending ineptitude, it's a matter of recognizing the problem is complex and unless you can have clear boundries of what is punishible and what is not, your going to have a bad time enforcing anything that makes a difference. As a security person, I'm sure you know a policy without adequate enforcement is absolutely useless.