“Lawmakers in Massachusetts are poised to consider legislation that would force retailers who suffer data breaches to cover the costs associated with any fraud-related losses by their customers, according to a story in today’s Wall Street Journal.” -Washington Post
That’s the best idea I’ve heard all day. Of course, it’s not exactly a new idea. Economists know that companies will not spend money to avoid a bad situation unless it directly hurts them financially. Otherwise, it’s an externality – the majority of the cost of data breaches falls on individuals whose data has been lost or stolen. Prior to the laws requiring public notification of data breaches, many organizations would attempt to contain the incident and keep it quite. That minimized the impact from negative press and a backlash from affected customers. By adding a serious monetary penalty to the equation, I think we would be taking a step in the right direction, where corporations are held responsible for keeping your information protected.
