[ctab]

This could be a voluntary insurance that companies purchase on behalf of their users. If the company suffers a breach, they will be bound to pay X amount to their users depending on the data lost.

Dress it up with a fancy badge to slap on the front of their site. Maybe a silver badge means user data is insured up to $10 each; a gold badge is up to $100; platinum up to $1000.

[dpark]

So Yahoo would have been insured for somewhere between $30 Billion and $3 Trillion in this scheme? That seems untenable. Good luck collecting from the bankrupt insurer.

[ctab]

Good point, although the report states 3 billion user accounts were breached but this doesn't mean 3 billion people. I am guessing the vast majority of accounts did not contain any sensitive information.

And maybe insurance isn't the right word; the risk should probably fall to the company holding the data, not a third party who would never be able to audit every single step to ensure there is no weak link.

[ajdlinux]

The first step towards this is having useful industry standards for auditing and certification that actually work... then you can think about an insurance market where insurers force certification.

[dpark]

True, it wouldn't be 3 billion individuals claiming the benefit. Still the scale is so large that it would utterly bankrupt most companies to pay out for a single breach.

[hehheh]

If the cost of disclosure was a dollar a user there's pretty much no way we'd see them voluntarily tell us they were hacked. We'd have to wait until the information got out some other way.

[zentiggr]

Not a perfect solution, but sure. "You're the weakest link - goodbye!" <everyone else flinches and reviews infosec>

[dpark]

I think hehheh is saying that a policy like this would strongly encourage hiding breaches. No one would openly admit a breach if they knew it would kill the company. The net effect would be less transparency, not better security.