[RevHaze]

If it doesn't need to be insured, you could just spin off a smaller entity responsible for holding the data for you, and shut the company down if the data leaks. You can do the same if insurance is required of course, but any brand new 'personal data holding' company would likely have very high insurance premiums to offset the risk.

[extrapickles]

Its fairly common in the temp employee industry that if a temp worker gets injured the temp agency folds and restarts to avoid the penalties.

It would be nice to require insurance or a bond to hold personal data so a company can't just disappear when data is lost.

[0]: http://projects.thestar.com/temp-employment-agencies/

[ticviking]

And people wonder why I am so hostile to the our way of creating and governing corporations, and our way of divorcing business from the lives and reputations of of those who run it.

[unclebucknasty]

While simultaneously championing corporate personhood.

[TeMPOraL]

Holy shit.

This is exactly what I mean when I say that, if you want to see real corruption, just take a look at regular small businesses around you.

https://news.ycombinator.com/item?id=15950934

[JumpCrisscross]

> If it doesn't need to be insured, you could just spin off a smaller entity responsible for holding the data for you, and shut the company down if the data leaks

If this is possible without insurance then it’s possible with, and every insurance company will mandate the structure to limit payouts. Mandating insurance simple entrenches the insurers. Why, for instance, would you want to require Apple purchase insurance against its users’ data?

Side note: beneficial ownership [1] and affiliate definitions [2] are useful for such cases.

[1] https://www.investopedia.com/terms/b/beneficialowner.asp

[2] http://rule144opinion.blogspot.com/2014/02/rule-144-are-you-...

[dragonwriter]

> If this is possible without insurance then it’s possible with, and every insurance company will mandate the structure to limit payouts.

You can't limit insurance payouts this way, because the entity has to carry the insurance. You only limit the exposure of the larger entity after the assets of the liable entity, including any insurance coverage, are exhausted. But the more the mandatory insurance level is, the less likely spinning off to protect the parent is to ever be valuable, and it never protects the insurer, so they won't mandate it.

[Bluestrike2]

That doesn't necessarily limit your risk exposure if litigation ensues. Anyone going after you (or the data holding company in particular) is going to attempt to pierce the corporate veil. And while that's not necessarily easy, it's still common enough. In that situation, it's almost inevitable that the separation won't be clear and strong enough to avoid being pierced.

Of course, that's all irrelevant unless there's a significant change in how the law treats data security.

[contravariant]

It seems to me that doing so should somehow constitute fraud. It would be better if the law could be changed to make sure it is penalised as such.

[wyldfire]

Isn't this where "piercing the corporate veil" comes into play?