Except damages for data leaks are kind of hard to compute, since in practice they're $0 until some of the data is provably used to cause some non-$0 worth of damage down the line.
> damages for data leaks are kind of hard to compute, since in practice they're $0 until some of the data is provably used to cause some non-$0 worth of damage down the line
Through private action, yes. Use statute to define damages as a function of number of people affected, type of data released and whether the company self reported or was caught, by the public or a regulator. Add enhancements if the company was reckless, the data was out there for longer than a month or if it was accessed by foreign adversaries.
Through private action, yes. Use statute to define damages as a function of number of people affected, type of data released and whether the company self reported or was caught, by the public or a regulator. Add enhancements if the company was reckless, the data was out there for longer than a month or if it was accessed by foreign adversaries.