>this must mean the consequences of such a breach has either not produced any visible damage
Yeah lets say you were carrying unencrypted frames for Bills Burger Hut.
The largest extent of the damage might be sniffing some smtp credentials or something. Bill sends some spam messages, never figures out how it was done but their IP reputation is always in the toilet.
Lets then say instead of Bills Burger Hut, you are carrying traffic for critical mineral and food industries. The attacker isnt a scammer, but a hostile nation state. Customer never realises, but theres a large, long term financial cost because (TOTALLY NOT CHINA) is sharing this data with competitors of yours overseas, or preparing to drop your pants in a huge way for foreign policy reasons.
No one gets fired until after the worst case long term damage, and even then probably not.
In fact, the likely outcome is that the burden gets moved to the customer for L2 encryption and the cowboy never changes.
If you fire people for stuff they didn’t maliciously introduced you will end up with no people to work with.
Imagine jailing doctors for every patient that died you would be out of doctors quite soon.
The legal system already has sufficient cop-out: for anything that you should have been aware of, or would have been informed about.
Eg. doctors do get sued and fired for malpractice, if they did something no other skilled doctor would reasonably do ("let's just use the instruments from the previous surgery").
End user license agreements are a huge part of the problem. Ideally users could sue if our data is leaked - and the threat of being sued would put pressure on companies to take security more seriously. Ie, it would become a business concern.
Instead we're constantly asked to sign one-sided contracts ("EULAs") which forbid us from suing. If a company's incompetence results in my data being leaked on the internet, there's no consequences. And not a thing any of us can do about it.
There is in at least California, the EU, and China. A lot of clauses in EULAs aren't actually legal.
On the other hand you can't sue a company for losing your data in many EU companies. You can report them to whatever data protection agency your country has, and after an investigation they can fine, and/or, in more serious cases turn the matter over to the police for a criminal investigation.
The disadvantage of this is that the local data protection agencies haven't been handing out very big fines. Sometimes that's due to company law. In my country you'd fine the owning company, which in many cases will be a holding company. Since fine sizes are linked to revenue and a holding company typically has no revenue, this means fines are often ridicilously small.
Or, the entity being damaged is not the decision maker and has no power to hold the decision maker responsible.
Or the damage is diffuse whereas the costs of preventing the breach would be concentrated. Or the connection between the damage and the breach is difficult to prove.