[bertil]

First off, for anyone who hasn’t read it: yet that title is, expectedly, disingenuous: it is not asking to ban companies from holding customer data but offers basic advice.

In my experience, people who can implement the solutions that they are describing i.e. who would enjoy reading that “Have I Been Pwned (…) offers an API” know about these, are not those deciding whether to work on implementing it. Managers who allocate budgets are. Having a clear list of things to do is great but managers tend to see those are part of the long list of things to do, long list that they do not have the budget to handle.

What could be more helpful is an estimate of how likely not doing it is going to be a problem and how much that would cost the company. Anyone willing to associate a benefit to each step?