| A problem of incentives. How can we fix it? Advertising tied to liquidated damages. 1. Any company handling PII must prominently advertise a amount of money per user they must pay in cash in the event of a data breach. This is a mandatory minimum payment and does not preclude subsequent lawsuits on specific damages. 2. Any claim of security or privacy must prominently advertise that amount earlier and in larger text than any other statement: “We provide 25 cents of security.” 3. In the event of data breach, your first notification must inform all affected partys and you immediately become tentatively liable for your data breach amount. Any affected party not notified in the initial disclosure receives 3x damages in the event their data was lost. 4. You may disclose to partys that you now know they are not affected. In the event that their data was lost they will receive 3x damages. 5. In the event of a data breach, you must issue your first notification within 1-7 days of when you discover it or are informed of it. Failure to do so constitutes a first notification to 0 partys, so you become liable for 3x damages to all users. 6. A data breach of any vendor you supplied PII to constitutes a breach. 1 and 2 align marketing with capability. 3 and 4 prevent underreporting. 5 prevents late reporting. 6 prevents diffusion of responsibility or the creation of scapegoat entitys and incentivizes only using vendors who properly track data provenance so their lawyers can tell your lawyers your users are unaffected. |