[gibba999]

I'm over 30 too, and I believe in not allowing corporations to externalize costs onto customers. If my data is compromised, that should be very, very expensive for the corporation.

When I was young, I wasn't a fan of this sort of policy, since I looked at things less holistically, and on shorter timeframes.

Holistically, higher damages aren't anticorporation, but just shift the ecosystem. Over time, companies who treat data securely will have a market advantage. Different, more secure programming practice will evolve, and companies will innovate and compete in security.

My thinking changed around the time GDPR passed. Before, I thought policies like that were anti-corporate. After, I saw how they changed market forces, but economies did just fine or better. Externalizing costs isn't good for economies.

[Sebb767]

> I'm over 30 too, and I believe in not allowing corporations to externalize costs onto customers.

They shouldn't be externalized onto the victims. The cost will, by principle, always be externalized to their customers, since that is were the money has to come from.

[gibba999]

You're assuming perfect market transparency. That's a false assumption.

Company A has good security, which adds $5 in your costs.

Company B has poor security, which doesn't, which will lead to $500 down-the-line from a security breach and identity theft. It charges $2.50 less and otherwise has an identical product.

You have no way to know that. You will go with company B, and you will split the $5 gain, where you save $2.50 and they take $2.50 more in profit.

Company B externalizes costs onto the customer. Company A's customers have higher initial costs, but they wouldn't be defined as 'externalized.'

[Sebb767]

> You're assuming perfect market transparency. That's a false assumption.

The situation we have here is clearly company B. So we have two options:

- Let the victim (who is or was a customer) pay the $500

- Let the company pay the $500. They need to get that money [0], so they charge their current customers more money.

Either way, the bill goes to the customer. The only difference in the second scenario is that the company needs to increase prices, which will hurt them in the long run and (hopefully) justify the additional expenses in security. But they can't create money out of thin air [1].

> Company A's customers have higher initial costs, but they wouldn't be defined as 'externalized'.

You're right - I was wrong about the definition of externalized.

[0] Technically, they don't - they could go bankrupt. But that would be the first scenario all over again.

[1] Unless we're talking about a bank, of course ;)

[gibba999]

I say charge company B, but I disagree with your analysis of where the money will come from. Companies charge to maximize future profits.

If company B tries to charge customers an extra $500, they'll be more expensive than company A, and customers will go to company A. They'll exactly go bankrupt. If they could have charged customers $500 extra and kept it, they would have done that from the get-go. The money won't come from customers, at least in a market with any competition.

Where will it come from? Well, the money will ultimately come from company B's investors. There are several mechanisms by which this can happen:

- Company B has a billion dollars in the bank. It spends $500 million on damages. It now has $500 million in the bank, and is worth $500 million less.

- Company B has zero dollars in the bank, but an otherwise solid business. It issues new equity, diluting existing equity, to raise $500 million. Existing shares are worth $500 million less.

- Company B has zero dollars in the bank, and a negative net worth. It files for bankruptcy. A court reorganizes it to pay the debtors (e.g. the customers). Old shares are worth $0, and the company is now owned by its debtors -- it's customers. The shares aren't quite worth $500 each, but customers get as much as possible, and the business keeps chugging along. No one loses their job.

Once investors notice, they'll start to include data security into company valuations. Insurance companies will do likewise. Keeping poor security will decrease profits, and security will improve. On the other hand, I don't think many companies will fold -- in the sense of letting customers and employees down -- based on this.

[stjohnswarts]

only as long as they stay in business.