~$0.05 per person affected is a pretty compelling cost avoidance versus having to pay for security and compliance personnel, not to mention potential reputational damages and lost revenue from actually following the rules and telling people you were hacked.
If you read past the headline, it's not $0.05, it's $5.07. A 100 times higher. Maybe even more, if you only count New Yorkers that were not notified about the breach (255,294).
And it sounds like they weren't fined for the breach. They were fined for negligence after the breach.
Corporate fines make a lot more sense once you understand they're not there to stop the behavior, they're there to make sure the shakedown ensures the state gets their cut. They don't actually want to destroy the company, they want their piece of the action by proxy.
> They don't actually want to destroy the company...
Sure, just like a speeding ticket doesn't get punished with the death penalty. Of course that's not the goal of the fines. Why would you expect it to be?
My college campus had a huge parking problem. One time I got a ride from a classmate, and he rolled up and parked in a clear no parking zone. When I pointed it out, he said "oh I'll just pay the $50 (or whatever) ticket. I always do it when I'm running late for class."
Parking enforcement was happy since they made a bit of money. The student was happy because he got to park in a prime spot for a fee that was insignificant for him. However, if the goal was to stop people from parking in certain areas, the policy failed miserably.
Corporate fines work the same way. If they make $10 from an illegal action and are fined $1 for it, it isn't a deterrence, just a good investment opportunity.
In Finland's case, if you are filthy wealthy, you should never drive yourself. Hire the cheapest person that is a good driver and pay their tickets for them.
The existence of an agency designed just to root out this behavior provides a lot of incentive. The folks who create the agency get say they're doing something about the problem and look good. The folks in the agency get jobs and all that entails.
Doctors want people to be sick, police wants people to commit crimes, military wants wars. This is a dangerous mindset.
Did they improve their practices after the breach? Sounds like they did:
"Zoetop became independently certified as PCI DSS compliant in April 2019 and
has remained so since."
Now I know that PCI DSS is a complete shit, but that's the only tool they have. I'm all for criticizing the state, but sounds like in this case they did their job just fine.
How does this even get enforced? Does Shein have any assets in the US? Seems like it's a totally chinese/singapore based company that just mails stuff to other countries.
[0]https://impakter.com/how-fast-fashion-giant-reacted-to-help-...
[1]https://www.rollingstone.com/culture/culture-news/shien-tikt...