Data breaches keep happening, they keep getting worse, and yet companies keep collecting our data in ever-more-invasive ways, subjecting it to ever-longer retention, and systematically underinvesting in security.
Why does this keep happening? Because it's affordable. In 2014, Home Depot breached more than 50,000,000 credit-cards; in 2016, they paid less than $0.34/customer in restitution.
There are longer-term reputational costs associated with breaches, but these are not generally factored into the quarterly-earnings-focused mindsets of corporate execs and strategists.
An awful lot of change could be made simply by adjusting the law, and it needn't even be something as far reaching as the European General Data Protection Regulation: even establishing a set of statutory damages that people caught in breaches were entitled to collect, and banning the use of binding arbitration clauses to escape these liabilities would go a long way.
The statutory damages should reflect the cumulative nature of breaches: how a breached dataset can be combined with other breached datasets to build up devastatingly effective attacks -- the kind of thing that can cost you your whole house, even.
If companies were paying out damages commensurate with the social costs their data recklessness imposes on the rest of us, it would have a very clarifying effect on their behavior -- insurers would get involved, refusing to write E&O policies for board members without massive premium hikes, etc. A little would go a long way, here.
If you live in the United States, there's almost a 50 percent chance your personal data was lost in the giant Equifax data breach a year ago of 143 million records. Google had its own data breach in October this year that exposed data on as many as 500,000 accounts. Or the most recent Facebook breach of data from 29 million users. Or, over the last five years alone, major breaches at Anthem, eBay, JPMorgan Chase, Home Depot, Yahoo, Target, Adobe … but you get the point. If it's day that ends in “day,” there must have been another major data breach that keeps criminal hackers gainfully employed by selling your information.
Bad guys keep getting smarter, experts say. Why not corporations? The short answer is, because it's not worth their trouble.