Data Breach Compensation
Data breaches, sadly, have become far too common. Here is how we can fix it.
Data breaches, sadly, have become far too common. While not all breaches are easily avoidable, companies often have ample warning ahead of a security incident. More often than not, the cybersecurity resources needed to prevent, or at least mitigate, breach threats are considered unnecessary or non-critical expenses, particularly before end-of-quarter financial reporting.
When breaches do occur, depending on the industry, there are no mandated reporting periods or timelines. Once users discover their data has been breached, compensation for exposing their data is normally only available after a class action lawsuit & settlement. It is unacceptable for companies to withhold the resources users need to protect their identities while the case winds its way through court. When settlements are reached, the user pool is so large that payments are insultingly low.
T-Mobile pays $350 million for 76.6 million users (~$4.57/user)
Cerebral pays $7 million for 3.2 million users (~$2.19/user)
Equifax pays $425 million for 147 million users (~$2.89/user)
* These amounts are not necessarily what people were paid; lots of that went to lawyers & was never claimed.
My Proposal
First, lawsuits don't work. Yes, businesses pay "large" sums; however, the compensation per user is laughably low and is not dispersed for years after the breach.
User Data Valuation Panel
Once a year, a non-partisan, independent panel of security experts, consumer advocates, and other subject matter experts is convened. During their annual meeting, they establish a value for various data types.
These values are NOT set within the legislation and update during the annual panel. This is because we don't want to have to pass a new law to, for example, increase the compensation amount for an email address from $75 to $150. See the National Firearms Act for why.
Panel members are NOT PUBLIC, and during the yearly meeting, members are sequestered to limit outside influence. We don't want a Justice Clarence Thomas type situation with panel members & AT&T, Meta, etc....
Example Compensation Amounts
| Data Point | Compensation Amount (USD) |
|---|---|
| Email Address | $75 |
| Social Security Number | $250 |
| Site Traffic Information | $50 |
| Credit Report | $200 |
| Phone Number | $50 |
| Physical Address | $60 |
| Health Records | $300 |
| Financial Account Info | $400 |
| Biometric Data | $500 |
These values are just starting points but illustrate their relative value.
If a business collects, controls, maintains, or in any way stores user-specific data, they are held to the following standards:
1) All cybersecurity incidents must be reported to CISA within one hour of being identified. CISA already has the tool in place 😄
Do you think that is unreasonable? Yeah, it's so difficult that federal agencies already have this requirement. If government agencies can meet this requirement, surely private industry can.
If a business cannot submit an incident response form within that timeframe, it is not compliant to store user data; it's that simple.
2) A list of impacted users will be started as part of the initial response.
This list is shared with CISA and the FTC to ensure proper user notification and compensation.
3) Impacted users are notified within 24 hours of the data breach. Within that email, phone call, or other notification medium, the guaranteed compensation amount and payment options are listed to receive their SUPER EASY, NO LAWSUIT MONEY.
"Thoughts" people have on the above
- This will cause businesses to go bankrupt; they can't absorb this level of financial risk.
Then they aren't a viable business. Full stop.
Also, insurance companies exist. Maybe if the above is mandated, insurance companies will direct businesses to properly secure their resources. - We can't trust the federal government with user data!
Agh yes, the US Government has sooo much trouble keeping secrets...
See: Example 1, Example 2, Example 3, Example 4, Example 5, Example 6, Example 7, Example 8, Example 9, Example 10
^ Sarcasm - The administrative burden is too great!
Then maybe, just maybe, the business shouldn't collect the data in the first place
If you are wondering about my thoughts on privacy, see my site's privacy policy.
Hat tip to one of my first online donors for asking my thoughts on this issue.
If I don't get on the ballot, no one will pay attention to these issues. If able, please consider a donation to help me get on the ballot.