[drspacemonkey]

If I were a gambling man, I'd bet that would just lead to "data warehouse" subsidiaries that would hold the liability. In case of a leak, they'd "go broke", and another would be spun up in its place. Same thing is happening with temp agencies to shield employers from workplace injury liability.

http://projects.thestar.com/temp-employment-agencies/

I completely agree with you. Shit security should cost money. I just think it has to be something like data leak liability insurance. The costs of having shitty security would be reflected in higher insurance premiums. That way, financial math would be firmly on the side of keeping data secure, instead of limiting exposure via corporate shell games.

[eberkund]

There must be a way to carefully craft the law to prevent those sorts of workarounds, no? For example, the business who is making the transaction with the person whose data is leaked is liable. So the consumers in the case of a retailer, or the businesses who use Equifax for background checks in that scenario.

[athenot]

That's how it works with HIPAA. Patients interact with Covered Entities, and they can contract out to a third-party and sign a BAA. The third-party is then on the hook because if they fail at protecting data, the Covered Entity gets the sanction.

[drspacemonkey]

Honestly, I don't know. That's not my field of expertise. I'm mostly just cynical about fines and penalties being paraded around as a curative measure, only to find out that the fines and penalties have such huge loopholes that entire corporations can fit through.

[bluGill]

We can require bonds on good behavior (basically insurance, not to be confused with other types of bonds) - you can contract it out, but only if whoever contract has a bond for enough money.

Of course whoever backs the bond doens't want to pay, so they will do due diligence in relation to the value of the bond.