[elliekelly]

> If user data had to be insured then there would be a financial incentive to only keep what's needed, and to treat it more carefully.

Interesting thought, how would you imagine this would work in practice? Insurance against what? In the event of loss, who would make a payment to who?

There are "cybersecurity" insurance policies available to companies now but they really only cover the cost of mailing notification letters to impacted people and sometimes the cost of credit monitoring for a year. They're way overpriced and usually not at all worth it. I suspect that isn't really what you had in mind though?

[yellowstuff]

The insurance payouts for a breach could go to the affected users or to the government, I don't think it would matter much. The important part is that companies need to pay to retain user data. The insurance would have to be mandatory for large companies.

[elliekelly]

I agree there needs to be a cost to companies who lose user data but I fear insurance would be a way to compensate users for the loss without incentivizing corporations to mitigate the risk.

[thfuran]

Presumably the insurance (or company who failed to get insurance) would pay the affected users.