[milkytron]

That would make a lot of companies responsible for the data they keep and should be responsible for protecting.

SQL injection can be (and probably is) malicious though, so I suppose it becomes a unclear line for that example. Maybe punishment of both parties would be appropriate but I'm not a lawyer so don't have expertise in law punishments. But I could see this as incentivizing data security. Even if a 0 day is discovered, companies will be less inclined to drag their feet for a patch when one becomes available.

[MereInterest]

Honestly, I'd want to see strict liability for data breaches, with revealing of personal information included as a type of injury, and not merely something that must be shown to have led to other forms of injury. Right now, the most I can do is reduce the amount of personal information that is collected about me, and I have no ability to ensure that it is stored in a secure manner. Companies that record personal information about me (e.g. Google, Equifax, Facebook, etc) have the ability to improve their security, or to reduce the scope of collected data, but have no incentive to do so. By placing the liability on the same entity as makes the decisions, it creates that incentive.

[after_care]

I’m not sure I believe in 100% strict liability. Imagine if someone were to perform a B&E or armored robbery at a physical location to steal hard copies of records.

Clearly if someone uses a zero day to steal personal information from an otherwise secure server than the server’s owners were not negligent.

In addition, often times the only people that know there was a data breach is the organization that had their data breached and the attackers that stole the data. None of the parties could report the data breach without violating their 5th amendment rights if they both had legal liability.