> Make companies responsible for securing that data, and make it _expensive_ if/when they get breached. Make storage of personal data "toxic", so companies will _only_ keep it for the minimum amount of time required for whatever use it was gathered (where only companies like FB & Google, and to a lesser extent Amazon would admit to themselves that it was collected for the express purpose of creating a historical record of individually identified PII).
You're assuming they won't just mitigate the risk by spending more on securing the data and then still keep it all and hope their security is enough to avoid getting pwned.
Moreover, many smaller entities won't even bother with trying to secure it and then just hope it doesn't happen to them and declare bankruptcy if it does. Some of which will just have had no idea the liability even existed to begin with because they don't read HN and didn't have the money for lawyers.
The solution to this is better when it comes from the demand side. People should refuse to give this information to these companies; then they won't have it and can't use it for anything nefarious. So the question then is how to convince people of that.
Certainly a good first step would be to eliminate any existing rules that require companies to collect this type of information on people.
> Certainly a good first step would be to eliminate any existing rules that require companies to collect this type of information on people.
Yeah. That's one place we here in .au are fucking ourselves over. As well our mandatory breach reporting laws, we _also_ have mandatory meta-data retention laws. It you're an ISP (which thankfully I'm not), you are _required_ to retail all you user's metadata...
You're assuming they won't just mitigate the risk by spending more on securing the data and then still keep it all and hope their security is enough to avoid getting pwned.
Moreover, many smaller entities won't even bother with trying to secure it and then just hope it doesn't happen to them and declare bankruptcy if it does. Some of which will just have had no idea the liability even existed to begin with because they don't read HN and didn't have the money for lawyers.
The solution to this is better when it comes from the demand side. People should refuse to give this information to these companies; then they won't have it and can't use it for anything nefarious. So the question then is how to convince people of that.
Certainly a good first step would be to eliminate any existing rules that require companies to collect this type of information on people.