[kavok]

We need to attach actual monetary amounts to PII. If a company loses the data they owe you that money. The money is increased based on how and if they disclosed the leak. Lying about a leak should be a criminal offense.

This would would allow engineers to better be able to prioritize security, which typically gets ignored or put low in priority.

[wizzwizz4]

I think we should exempt this from double-jeopardy: the fines are considered purely-punitive, and are in addition to any civil or criminal penalty issued by the courts. This will help ensure that organisations can't just price data breaches in to "move fast and break things" and have no further liability, and that people who've experienced damages much greater than the standard fine don't lose their chance to get suitable compensation.

[mrln]

Wow, I've not heard this idea before and I think it is very interesting! How would you set this amount though? Does the company/user/government set it? Would the same data have different amounts depending on the company? How would that system handle users with multiple accounts?