Couldn't they just re-incorporate the next day in another jurisdiction.
Or it implies that the state can force them to sell all the assets, lay off all the workers, and return the money to creditors.
Well in either case, it is a nice fantasy. Doubt anything like that would happen. Even worse, after nothing happens, everyone who deals with such data will watch and learn a valuable lesson - "Don't bother with security or data protection much, just hire a PR firm and wait for online news to cool down for a month, then continue as usual".
Look at their stock https://finance.google.com/finance?q=NYSE:EFX was $140, crashed to $100 then recovering, now at $110. Only 20% down or so. And that's after losing SSN, names, addresses, etc for large chunk of the US population.
I don't think there's a good legal framework for forcing a company into dissolution, because the normal path is for assets to be distributed to the shareholders, and if the shareholders didn't want do dissolve the company, they could presumably take those assets and continue the company's operations.
I love the idea of a "corporate death penalty", but I am not sure how it would work under extant law. Maybe some sort of special "bankruptcy with prejudice", where a company would be prevented from reorganizing or restructuring such that it would be forced to sell itself for scrap in order to pay off a class action judgement? That might do the job.
It's really a shitty hack, though. The real solution is to make the undesirable conduct illegal, and ramp up both penalties and enforcement. Mostly enforcement, because the most effective way to deter criminality is to increase the chances that someone will get caught; increasing the penalty while still leaving the odds of getting caught low isn't nearly as compelling a disincentive (due to human cognitive biases around probability, from what I can tell).
The "corporate death penalty" is satisfying in the same way that the actual death penalty is -- it's not really about deterrence, it's social catharsis through ritualized violence. Which is fine, at least in the abstract; it's something that all societies do if you look hard enough, and I tend to think it's better to do it in the open. But it's a mistake to say that it's about deterrence.
We know how to do deterrence; in the context of business misbehavior, there are all sorts of profitable but illegal things that businesses just don't do, because there are regulatory and enforcement structures that make it a Bad Idea. That's how you do deterrence, but it requires a political consensus that the action really needs to stop.
Right now, I am not sure there is a political consensus that what Equifax did was wrong and that a new enforcement structure is needed to prevent a re-occurrence. There's perhaps an emerging popular consensus, but I am not sure that our government is in tune with that popular consensus on an actionable level yet. How to get Congress there is really the challenge.
that would be worse - the database of information isn't gone, but sold, to who knows where?!
I think instead of dissolving the corp, they have to be made responsible for the information they leaked out. Fines, or jail time for the executives, or something like that (as i don't believe there's a technical remedy for the lost information - it's already leaked).
Not that I expect that to happen, though.
The thing to look out for, and call me paranoid if you wish, is now to "rectify" the problem, government or corporations (or both), now start to demand rfid biochip implants as a reliable means of authentication..... or transacting business.
It sure looked far fetched before the Equifax breach, now not so anymore.
The stock market appears to disagree with you.
2) US government should demand a list of all effected SSNs
3) US government should use pre-breach tax data to issue replacement SSNs to all affected and send Equifax the bill for doing this.
3) US governments should ask the courts to consider any use of a breached SSN on any credit issued after breach date to not be enough evidence alone for any credit recovery processing (basically nullifing any credit after the breach for an affected SSN without the Banks being more careful with regards to identity checks).
I just don't think it's practical to reissue millions upon millions of SSNs. We need a more permanent and secure system than SSN entirely.
