[eberkund]

There must be a way to carefully craft the law to prevent those sorts of workarounds, no? For example, the business who is making the transaction with the person whose data is leaked is liable. So the consumers in the case of a retailer, or the businesses who use Equifax for background checks in that scenario.

[athenot]

That's how it works with HIPAA. Patients interact with Covered Entities, and they can contract out to a third-party and sign a BAA. The third-party is then on the hook because if they fail at protecting data, the Covered Entity gets the sanction.

[drspacemonkey]

Honestly, I don't know. That's not my field of expertise. I'm mostly just cynical about fines and penalties being paraded around as a curative measure, only to find out that the fines and penalties have such huge loopholes that entire corporations can fit through.

[bluGill]

We can require bonds on good behavior (basically insurance, not to be confused with other types of bonds) - you can contract it out, but only if whoever contract has a bond for enough money.

Of course whoever backs the bond doens't want to pay, so they will do due diligence in relation to the value of the bond.