Hey,

Say we have company A, that does software development for company B. An employee of company A, does some action that makes private and confidential data of company B,on company's A servers, publicly available, by negligence.

A curious attacker extracts that information and asks money from company A in exchange for not making it available.

Yet, a third company, company C, helps with consulting company A to resolve this scenario by catching the attacker. (working with police etc).

Companies A & C have an NDA signed, which, by my judgement, has been broken once the attacker has seen the documents.

The attacker might get a sentence from the judge, he asked money in exchange to give the data.

My question is: is the attacker the only one who should face the law in this case ?

The attacker is the only criminally responsible party. But company B can still sue company A for not being more careful with company B's data.

I understand, let's further say company A doesn't notify company B of the breach and the attacker manages somehow to contact company B and tell them about what happened ("I saw you're data"), how can this be worse for A, than the original case ?

Companies A & C have an NDA signed, which, by my judgement, has been broken once the attacker has seen the documents.

Unless the NDA clearly states that the agreement expires in such a situation, then it doesn't. An attacker could be lying about seeing the documents, for example.

Regarding your general question though - you're asking something very broad and which will vary from place to place. In theory, software companies that are negligent could be punished for it by some authority or other. In practice, software companies are negligent all the time and get away with it. And there are grey areas of what "publicly available" means - just how much effort must an attacker put in for it to be considered that the original developer was negligent?

The attacker is the only criminally responsible party. But company B can still sue company A for not being more careful with company B's data.

True but company A should have some kind of indemnity insurance specifically for this. I'm just a contractor and I have to purchase insurance to cover this.

Companies A & C have an NDA signed, which, by my judgement, has been broken once the attacker has seen the documents.

Unless the NDA clearly states that the agreement expires in such a situation, then it doesn't. An attacker could be lying about seeing the documents, for example.

Regarding your general question though - you're asking something very broad and which will vary from place to place. In theory, software companies that are negligent could be punished for it by some authority or other. In practice, software companies are negligent all the time and get away with it. And there are grey areas of what "publicly available" means - just how much effort must an attacker put in for it to be considered that the original developer was negligent?

Let's say I'm "more or less" talking a specific situation that happened.. I'm just trying to understand the situation better. The effort of the attacker was rather minimal, from what I've heard. The company seems to have gotten away, and the argument I've heard was: "everybody exposes data like this and it's common, because installing this kind of software - which from what I've understood was installed for learning reasons by A's developer - is a common thing".

I'm not sure how common is that and to be honest , what got me upset about the whole story was a biased presentation that basically said: Company A didn't do anything wrong, they did a common thing, and the attacker is a very bad person , he should bear all the guilt.

Is it common that software companies are negligent? Yes, of course. Barely a week goes by when we don't learn of some data breach somewhere.

Was Company A in this situation worse than most companies? I don't know, and that information's not available here. It's implied that it was accessed via some sort of software that is commonly installed, which means the questions are: "was it reasonable to install that software?", "was that software installed correctly?" "how hard is it to secure that software?" etc

Should Company A take any responsibility? Depends on a bunch of things. Did they break a contract with Company B? We can't answer that. Did they fail to meet minimum legal standards regarding keeping data safe? Again, we don't have enough information. If you want clear legal answers you're going to have to (at a minimum) name the jurisdictions involved.

It is interesting to think about how we decide who the true victim is, and who should be blamed for bad things happening. What is the minimum you should do to protect yourself - whether we're talking about hacking, or robbery, or physical violence. If you walk down a dark alleyway and get mugged, should you accept some of the blame? What about if you know the alleyway is dangerous?

if the employee happens to have had a criminal record or bad references from previous employers

I think you missed the part in the original post where it was stated that the information was made public "by negligence", not by a deliberate malicious act.

Security breach laws are mostly governed by state laws. Here is a very useful summary you can use to know IF you have to disclose the breach and what you have to do about it. http://www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificationChart.pdf. please note that you have to obey any state laws in which you do business. Which means if you are selling something on steam you have to obey all 50. The easist way to do this is find the most restrictive and then follow that one.