[ctab]

Good point, although the report states 3 billion user accounts were breached but this doesn't mean 3 billion people. I am guessing the vast majority of accounts did not contain any sensitive information.

And maybe insurance isn't the right word; the risk should probably fall to the company holding the data, not a third party who would never be able to audit every single step to ensure there is no weak link.

[ajdlinux]

The first step towards this is having useful industry standards for auditing and certification that actually work... then you can think about an insurance market where insurers force certification.

[dpark]

True, it wouldn't be 3 billion individuals claiming the benefit. Still the scale is so large that it would utterly bankrupt most companies to pay out for a single breach.

[hehheh]

If the cost of disclosure was a dollar a user there's pretty much no way we'd see them voluntarily tell us they were hacked. We'd have to wait until the information got out some other way.

[zentiggr]

Not a perfect solution, but sure. "You're the weakest link - goodbye!" <everyone else flinches and reviews infosec>

[dpark]

I think hehheh is saying that a policy like this would strongly encourage hiding breaches. No one would openly admit a breach if they knew it would kill the company. The net effect would be less transparency, not better security.