[calvano915]

Companies have a reasonable obligation to protect our data, so I'm with you if they were negligent in prevention, detection, mitigation, or revelation. If they took reasonable measures to prevent, and were forthcoming if compromised anyway, and took measures to minimize damage to users, there's no reason to blame them.

[adrianN]

"We used best practices to protect your data" is such a bullshit excuse. If a bank gets robbed its customers aren't told "sorry your money is gone, but we had it behind a locked door, so we're not liable".

If a company decides to collect, store and profit off of my personal data and they lose it, I really don't care about "best practices". They profited from my data, they have to pay if they lose it. The company always has the choice of not storing the data in the first place, if they can't bear the risk of a substantial fine in case my data is disclosed.

[rectang]

It's OUR data, and WE as individuals are the ones who have to clean up the mess after aggregators spill it.

Perfect security is impossible, but let's not forget 1) who is harmed, or 2) who is getting rich and who will in a worst case will cut their losses, go bankrupt, then start another company with the accumulated weath.

[chrishacken]

Then don't give your data to anyone. Perfect security doesn't exist, no matter how hard you try or how much money you throw at the problem. Breaches happen, end of story.

So the real issue should be: When and how will a new secure form of identity be created, used, and made available. Social security numbers were never intended to be used in the manner in which they are.

[chronic824]

It's not YOUR data. It belongs to the COMPANY. If I draw a sketch of you sitting on a subway, sorry, but you don't own the sketch.

[doesnt_know]

In my country (NZ), it is my data. It's the literal law that any agent that collects personal information needs to follow a number of rules. (Search for NZ privacy Act for the gory details).

I'm allowed access to the information, and can request that it be updated. They can't keep the information longer then is necessary, they can't use it for anything other than the original collection purposes, they have to take reasonable measures to secure it, they can't disclose it etc.

I won't harp on about the details, but it's relatively well thought out (apart from some limitations regarding the reporting of breaches, but there are changes in the pipeline to patch that up).

[adrianN]

That may be the case in the US, but here in Germany I could sue you if you made that picture public. Here people have the right to decide whether pictures of them can be made public or not (with some exceptions).

[sametmax]

What about health data ? Children school info ? Company trades in email ? Do you really want to play that card ?