Five former executives of a pharmaceutical company in the United States, including its founder, were arrested, charged and convicted early May 2019 for bribing doctors to prescribe a highly addictive painkiller to patients who didn’t need it and tricking insurers into paying for it.
The Food and Drug Administration (FDA) in the United States had approved Subsys only for treating cancer pain, but while doctors are free to prescribe any medicine for various purposes, the charge against the pharmaceutical company was that its business plan was all about encouraging doctors to do so in order to boost sales. The motto was simple: Profits before patients.
Apparently, this approach is common for all pharmaceutical companies to boost sales and company after company paid huge fines - sometimes in USD billions to settle charges of pushing their medicines for unapproved uses.
In the software industry, the approach taken by some software companies are moving along the same path. Not every organisation requires preventive software to manage their cyber risks. But sales executives appears to be proposing their software to organisation who didn't really need it - these organisations are led to believe that once installed, these preventive software will solve and stop potential attacks from happening without realising that human factor does play a significant and huge role in most cyber attacks.
These preventive software are no different to the above case. Under the Federal Racketeering law in the United States, authorities there can pursue and initiate criminal action against any organisations or persons found committing acts which is either forced or coerced on another party to get a financial gain. Cyber extortion on a user’s computer is classified as racketeering. A hacker may illegally push malware onto a user’s computer, which blocks all the access to the computer and to the data stored on it. The hacker (or their partner), then demands money to restore the user's access.
Would the US authorities investigate into cases where data was breached as it is highly likely that data stolen from an organisation could be used to send a ransomware to the individuals concerned?