> imagine that in 1920, the Canadian military marched over the border and robbed some banks
The international law on this is rather complicated but I believe that those affected would have a case against the Canadian government, as well as being covered by the US bank insurance system.
However, in the case of Equifax, personal data isn't the property of the person (in the US system) and so you don't have a case. You'd need to have an EU-style data protection system rather than a US system which treats data as free speech.
Which is why military operations are conducted as an extension of policy, not as an isolated show of force.
It would be the mounties robbing the banks and then threatening to return with greater force if we show any attempt to recoup losses from canada, but then we steal their lumberjacks, then they strike out alaskan oil sites, oh boy are we at war?
National security advisors have long indicated civilian infrastructure to be the primary cyber vulnerability, not military assets.
Its the german ballbearing factory all over again.
So to not hold these companies liable is genuinely generating a national security threat, where threat is defined as a risk with a real probability of being realized.
The international law on this is rather complicated but I believe that those affected would have a case against the Canadian government, as well as being covered by the US bank insurance system.
However, in the case of Equifax, personal data isn't the property of the person (in the US system) and so you don't have a case. You'd need to have an EU-style data protection system rather than a US system which treats data as free speech.