Maybe the solution is a data tax. You pay a set amount every year for every piece of personal data you have. If you buy personal data from another company, you still have to pay the tax for the data you acquired.
If you have a breach of data, your tax goes up for a period of 10 years.
In addition, every piece of personal data needs to have provenance which must be tracked. There must be a way to track from when a consumer input the data all the way through. Fraud in regards to this provenance is punishable by jail time. If you have data that does not have provenance, the company will be severely fined and people will go to jail. In the event of any data breach, not only will the company that had the breach be taxed extra, all companies that provided the data to the company (which is in the provenance information for the data) that had the breach will also be punished with increased data taxes.
In addition, maybe require annual personal data reports. The reports should contain
Amount of personal data.
Amount of personal data last year.
Amount of personal data acquired directly from consumers.
Amount of personal data purchased and from whom at what prices.
Amount of personal data sold and to whom for what price.
This will be a filing to a government agency every year on penalty of perjury and be signed by all the board members and the c-suite. This will be publicly made available by the government. That way people can see what is happening with their data, and who is profiting off their data.
The financial math has to clearly be on the side of it being more profitable to practice proactive security.
Why not just liability for lost data? Companies could then choose to hold the risk themselves or field it out to insurers.
It would be nice to require insurance or a bond to hold personal data so a company can't just disappear when data is lost.
This is exactly what I mean when I say that, if you want to see real corruption, just take a look at regular small businesses around you.
If this is possible without insurance then it’s possible with, and every insurance company will mandate the structure to limit payouts. Mandating insurance simple entrenches the insurers. Why, for instance, would you want to require Apple purchase insurance against its users’ data?
Side note: beneficial ownership  and affiliate definitions  are useful for such cases.
You can't limit insurance payouts this way, because the entity has to carry the insurance. You only limit the exposure of the larger entity after the assets of the liable entity, including any insurance coverage, are exhausted. But the more the mandatory insurance level is, the less likely spinning off to protect the parent is to ever be valuable, and it never protects the insurer, so they won't mandate it.
Of course, that's all irrelevant unless there's a significant change in how the law treats data security.
Risks (all kinds, not just technical) can be accepted, ignored, transferred and mitigated so it is important to have this option.
Its still not a great option for anyone involved as it is hard to price and last I checked had pretty low ceiling on payouts.
What would the actuarial standards be for something like that?
This whole post is about giving control of data back to the rightful owners and minimising the impact on them when a breach occurs. This is equal parts a fundamentally simple objective to achieve and one that is enormously difficult. It's simple not to request that someone provides their date of birth to a cat forum; neither the site nor the user themselves lose anything by not collecting this data. Yet it remains a difficult objective because not only do so many services continue to view our data as an asset, they never expect to be the victim of a data breach which then turns that data into a liability.
In Europe, especially with the upcoming GDPR laws, data is seen as a liability by many companies.
Data being a liability just means that companies need to think twice before storing it - if the data is sufficiently valuable, companies will still store it, but they have to manage it properly and mitigate risks since penalties are harsh.
Storing data "just because you can" will no longer be worth it, and rightly so, given the risk.
Also have the fine scale exponentially by data items.... data set of 100 people with 2 items (name and email = $400 total or ($2x$2=$4 per user x 100 users)).
Data set with 1 million users and 10 fields per user would be $1B and $1,024 paid to each person...
Then make companies bond their liability - with recourse against anyone up the chain of title if the data was purchased...
Perhaps a bit draconian...
Observations I make are mine, if I observe you it's my observation.
I can tell stories about my observations, but if I make public statements about you that are false, that's a tort.
Your security clearance report stolen by the Chineese from the US government OPM database. This could be a real problem for you. Information anyone can get by paying for it? This would not be a problem if credit fraud and credit reports were not such a big problem.
Coincidentally, we don't have the same types of mass identity theft issues that USA has.
I was specifically giving an example of why your observations don't automatically mean you have ownership today. I'm personally in favour of laws that ensure such observations are more explicitly owned by the observee in corporate scenarios.
Credit reporting and debt is a dumpster fire that needs to be rebuilt from scratch.
We need a new system where knowing the right pieces of information does not allow you to buy a car in someone else's name.
Identity is information. Ownership as a coherent social process is contingent on shared information.
Either it's private, and then NOBODY has it (i.e. stored on local machines, paper or just memorized), or it's not private, and then it's publicly accessible on a website, or it's confidential and then it's either service-specific data that is deleted as soon as possible (e.g. web searches) or given along with a physically signed contract containing an NDA and penalties for failure to keep secret.
The best way to achieve this is to require, by law, companies to publish on the web anything they learn from customers that is either not strictly part of their interaction with the service or has been stored for more than a month.
This will result in companies no longer asking for things that customers don't want to be public, and deleting interaction data unless the customer wants it kept and published.
Also it will result in a reduction of Google/Facebook/etc.'s monopoly powers since they will have a reduced monopoly on customer data.
I hear things about how the data is the 'real' product, and how it's mostly used just to train algorithms that are then used to sell ads. More data, better training algos, better ad targeting, more money spent.
But that data can be remarkably easy to spoof and goof with. Garbage in = garbage out. That would be a liability to the algos, the real weak links.
So, I think that a tax is not the best idea.
Rather, the data needs to be made into 'garbage'. Yes, an obfuscation race will ensue, but there is always more trash than gold, more noise than signal.
If we really want to change the game, we need to have easy to use apps that will throw a minute amount of static on the instagram photos, that will put just a bit of background on the phone calls, and that will throw a small bit of random words into the emails.
Yes, PGP does this already, but we all know PGP is not easy to use (by design?).
We don't need 'total' security and safety, just a bit of fuzz will screw with the algos enough (thus the start of the obfuscation race/war)
The solution: lawsuits. The laws need to be relaxed where if a company leaks data, we are entitled to damages. Just like if someone assaults you on the street you are entitled to damages.
The most famous case is McDonald's. When their hot coffee scalded a woman, she was awarded damages. Suddenly, everyone food serving establishment too care to make sure the temperature was right, printed warning labels, and told customers to be careful...it's hot.
Pretty sure if some of these companies get stiffed with huge fines, everyone will take notice and clean up their act.
What an excellent insight. You changed my conception of the problem. Thanks!
This gets complicated when the interactions themselves are complex and indirect. I'm looking at some general notion of complexity, in terms of scale, structure, and depth, but one general notion I'm working toward is that of intermediation -- the distance, think of it as a depth in nodes -- between the observer and observed. The shallower that depth, the simpler the interaction, the less intermediated the relationship.
Node complexity also matters. Jumping through dumb pipes is one thing, passing through complex relays another. The children's game of "telephone" exemplifies this -- contrast that to simply passing a note down the chain. The note (written on paper) is physically transported. The verbal message is passed from one person to the next.
(We're ... starting to see bits of this emerge as our comms networks become more complicated, and powerful in processing capabilities.)
Back to value/liability: any given opportunity or action has some positive potential and some negative one. We tend to pursue actions with a high probability of success, and where negative consequences are either rare, or, and this is problematic: vaguely defined or difficult to articulate. That is, there's a risk, but you don't know how big that risk is. And in cases it's huge: tetraethyl lead, asbestos, tobacco, CFCs, fossil hydrocarbons.
But it takes years or decades to establish the risk. And there's a strong motivation to denying it or suppressing the message.
Data falls into that class of goods (or bads).
We could start by repealing that nonsense.
When he started there, as bottom level IT support, he had access to everything. Admin passwords, doctor's passwords, he could write prescriptions and put a doctor's name on it. He could order anything and everything, and send it anywhere. He could read your medical files, if you were a patient there at any time. There were no restrictions, only some logging.
The place is only >>this week<< securing the network, because the last security guy quit and a new guy started.
I don't know what it's like in the US, but where he is there should be regular audits and criminal negligence charges for this kind of thing.
I know, networks change everything. But inside a secure facility its often (always) the case that personal integrity (and maybe some audits) is used to ensure correctness most of the time.
Somebody working in a hospital could steal prescriptions off of patient's tables, could lift wallets and purses, heck could even take a knife and attack people. But instead of hobbling everybody and locking everything up, we instead trust folks. And take action when somebody un-trustworthy violates that.
First, "impossible" is taking the argument to the extreme. Second, the insecure network OP described is negligence. Perhaps they were even reckless. That's not a new concept.
You do know it is impossible thwart all data breaches right? You can have the most sophisticated security system created and Zero-day attacks are still bound to occur. Data breaches occur without the companies themselves even knowing they took place... Geniuses are on the offensive side, if they want in, they will get in. No company in the right mind would agree to pay a tax when the inevitable happens. Just my 0.02
False. No system, no breach. No data stored, no possibility to lose it. Accept the liability for having the data or don't have it.
As RcouF1uZ4gsC's proposal contains measures to be taken when it happens, I strongly suspect that he does, in fact, know that.
> Zero-day attacks are still bound to occur... Geniuses are on the offensive side.
Most of the breaches have required neither of these. The goal is to improve the practice of security to the point where the only successful attacks would require both.
> No company in the right mind would agree to pay a tax when the inevitable happens.
You have a very unconventional idea of how companies generally operate.
His proposals imply that he does not in fact realize that zero-day attacks occur. Negligence is one thing, but having state of the art security systems and still being punished for a breach is another thing. A state sponsored group with enough time and money can repeatedly infiltrate a system. A tax certainly wont solve the problem
If your business is such that a tax penalty on a breach would make you no longer able to afford to do business, then you have two options:
1) don't store the data in the first place - your risk no goes to 0
2) scrap your business plan as the cost of holding the data given the impossibility of preventing every breach is greater than the economic value it would generate
Today you don't have to really think about what the cost of losing the data is because your portion of it is 0. That's stupid. It's like every startup deciding to include a new type of coffee machine that includes a small nuclear reactor - sure, we can't prevent all possible disaster scenarios, but the marketing people and data people REALLY LIKE having this type of coffee available, and the government isn't giving us any reason NOT to have it, so why not?!
So if a tax either makes you put money aside to account for the risk, or shuts down a bunch of frivolous examples of personal data collection, it's solved a huge part of the problem.