There are various state laws that require companies to notify their customers of security breaches, but they lack enforcement/teeth so they're routinely ignored. It'll never happen in our current environment but we really need a federal law that causes violators enough pain that companies will actually bother to follow the law.
While that's true, many enterprise customers are going to have MSAs with notification requirements that have contractual punishments for failure to notify of material security incidents. Those are probably what Oracle is trying to avoid.
I believe enterprise customers are not going to care much unless it helps with lowering existing costs.
OTOH, Oracle as part of BSA can demand an audit so they will inflict / make up reason to also punish (i.e. licensing or pull support). The business could invoke an MSA punishment clause and win temporarily but it will cause a headache going forward (further demands from Oracle, higher costs etc.)
Either way, Oracle gets what they want.
Unless the customer already wants to ditch Oracle.
Very few companies want to business with Oracle (or IBM). Most are either stuck with either and costs of switching are too high for executive to greenlight.
I don't get your argument.
Wouldn't adding teeth to the state laws be the right thing to do?
It would help, but it'd be better for everyone if there was just one law to worry about which covered everyone (or at least set a minimum standard) rather than having 50 different versions of the same law all over the country each with their own definitions, thresholds, penalties, etc. It'd make things a lot less complicated for both companies and consumers, especially given how often a single company's data being exposed impacts people all over the nation.
You don't like federalism much, do you?
Btw, states already coordinate voluntarily on things like traffic signs, without there being a central authority. (That's both true for states in the US, and for different countries around the world. A stop sign looks pretty much nearly the same around the world, without any central authority enforcing that.)