this is not only about the data of the 100K one time members that is important - the unencrypted and badly protected data
no, the real question is the following - and this is VERY important for Belgium
What are the responsabilities of the hoster and what are those of the owner of the site and between the owner and the programmer or maintainder of the site ?
If a site is hacked because there is no application firewall or there is one and nobody looks at it and the hack could have been prevented if there had been an application firewall that was well manned and maintened than is there shared responsability or not ?
if the hoster has really set everything in place to prevent attacks and hacking and data-extraction and has given the siteholders all the tools to protect and monitor their site and to encrypt and seperate their data and so on and the site still gets hacked because the site is so badly configured than is the badly configured site responsable for all the damages, included the risk to the other sites on that host ?
or should the hoster control automatically the state of security of the hosts on its servers to be sure that some insecure servers don't do damage to other sites or the whole infrastructure and warn them that they are being so insecure that they could be a risk and that the legal and financial consequences if they would get hacked could be quite great ?
And if the hoster doesn't do that is he or she than irresponsable because he lets some very dangerous site put the security of the data of the others sites on the same site or network also in danger ?
and if the programmer does his job but asks for upgrades and support and some paid tools to secure better the data and the application and it is refused and he informs the owner of the site or the hoster of the possible consequences if these things aren't done and they still refuse, is he responsable if finally the site gets hacked and data is lost (in the best case))
these are the questions surrounding the 9lives case and this makes it for the privacycommission such an interesting case - one that only comes by from time to time - it is for such reason an opportunity
but it wouldn't surprise me if Telenet would do everything to put it away asking everybody to protect their brandname and the credibility of the business and its security
but maybe the organisation of hosting firms in Belgium can take themselves the initiative and sit together and set up different levels of security they could deliver at what price and that would be checked and certified by authentific external partners (bronze, silver, gold). If some-one with very important data or much data would still decide to pay for only bronze even if he doesn't have the resources to compensate himself and even if the legal department of the hoster informs him that he should take the gold contract because legally his responsabilities and risks are too high viewing the kind of data or the volume of data he has online ...... than there is a risk he takes and an insurance he should take (but he wouldn't because it is too expensive and much more expensive than just securing your site and data as you should)