[Spivakov]

"The point of most cryptography and security features is to use math to represent and symbolically transfer liability and risk between transaction counterparties"

What is the liability here? For example, the company holds different level of liability in a data breach, depending on whether they implement the security correctly - is that what you mean?

[motohagiography]

Example would be whose keys encrypt and decrypt data realizes legal things like custody and control and the associated responsibilities.

One area that has recently changed is "de-identification," which used to essentially be a cryptographic problem, but now it's a legal definition where you assert a policy about the data encoded in a way and subject to a risk assessment to make that assertion, and then the de-identified data (PII/PHI) now comes with obligations.

Another example was chip/pin payment cards several years ago, where they transferred liability to the merchant for fraud and chargebacks, where previously, magstrip meant the liability for chargebacks largely stayed with the issuer.

If an online banking account gets hacked, banks have less liability than they did previously - as even though you must assert it was they who were robbed and not you, and they still owe you the money you deposited with them, enhanced authN/MFA has allowed them to imply it's somehow your fault that someone stole the money you trusted them to hold for you.

The security of each tech divides the liability between the parties in these cases.