[yellowstuff]

Professional ethics is not the right approach to fixing the problem with user data. As the Equifax hack shows, the problem is not limited to the tech industry, and it's a problem of incentives at the corporate level, not the individual contributor level. We need corporate regulation.

User data is an asset, because you use it to make money, and it is a liability, because it can be stolen and misused. Companies currently get all of the benefit but very little of the risk. If user data had to be insured then there would be a financial incentive to only keep what's needed, and to treat it more carefully.

[elliekelly]

> If user data had to be insured then there would be a financial incentive to only keep what's needed, and to treat it more carefully.

Interesting thought, how would you imagine this would work in practice? Insurance against what? In the event of loss, who would make a payment to who?

There are "cybersecurity" insurance policies available to companies now but they really only cover the cost of mailing notification letters to impacted people and sometimes the cost of credit monitoring for a year. They're way overpriced and usually not at all worth it. I suspect that isn't really what you had in mind though?

[yellowstuff]

The insurance payouts for a breach could go to the affected users or to the government, I don't think it would matter much. The important part is that companies need to pay to retain user data. The insurance would have to be mandatory for large companies.

[elliekelly]

I agree there needs to be a cost to companies who lose user data but I fear insurance would be a way to compensate users for the loss without incentivizing corporations to mitigate the risk.

[thfuran]

Presumably the insurance (or company who failed to get insurance) would pay the affected users.