[twunde]

For people to care of would have to be like healthcare. The Change Healthcare breach cost 2B+ and led to a huge loss in market share. Or like AMCA, which went bankrupt after the breach (Labcorp's billing company). If you're a health tech company you can no longer insure your way out of the problem over you reach a certain size.

The reality is that we need data breaches to be painful but maybe not company ending events unless it really is sensitive data. As patio11 likes to say the right level of fraud is not zero. There's a middle ground where we can increase company liability or reduce the damage caused by a beach.

[kjs3]

Optum360, still in business. HCA Healthcare, still in business. Excellus Healthcare, still in business after paying something like 50 cents per breached user. AMCA went out of business because their biggest customers said "damage control dictates we cut ties with you so we don't look complacent" (that is, like I said, the customers have to care to make a difference). And did anyone stop going to LabCore (after their own data breach, not AMCAs) or got a different doctor because the healthcare group they're part of got breached? Not likely. I don't think healthcare is ahead of the game here.

But yes, until it becomes actually painful to companies and the people who run them, it won't get better. If a corp death penalty is off the table (I don't think it should be), I guess would be either/both proportionate fines (fines equaling a couple of hours of revenue don't cut it) or making some of the leadership personally accountable, a la SOX fines, asset forfeiture and criminal responsibility for responsible C-level execs. Hate on SOX all you want, it sure made finance executives care about what is going on in their organization.