[p1esk]

One definition of victimhood could be how much a person has suffered as a result of the crime. I'd say if someone has lost their job because the data leak, or had their identity stolen with actual serious financial consequences, they are a victim.

True, a lot of people are victims of their own stupid decisions. A society should still try reduce the likelihood of the stupid decisions, especially when there are obvious bad actors actively trying to increase such likelihood.

[anigbrowl]

But your approach requires us to wait for something bad to happen to someone else before forming an opinion. Why exactly should people whose privacy has been violated have to be sacrificed further before any value is assigned to their privacy? We can use retroactive data to estimate the downside risk.

[p1esk]

Sure. What does the retroactive data say? If the data is bad then I agree - it should be punished accordingly.

[Zak]

When measuring a large scale crime like that of Cerebral, the number of victims is as important as the magnitude of the impact. There were 3.1 million victims. Stealing a dollar each from 3.1 million people would get the kind of law enforcement response that stealing $3.1M does even though the individual impact of that crime is virtually nil.

[p1esk]

Stealing a dollar each from 3.1 million people would get the kind of law enforcement response that stealing $3.1M does even though the individual impact of that crime is virtually nil

That's an interesting question whether it's fair to treat it this way. I can see valid arguments on both sides.