Comment Data like that needs to be a liability... (Score 2) 33
... as well as an asset. How about:
* If you have data that can be use for identity theft, and it leaks, you owe a per-person-exposed fine.
* In the absence of reliable records, all unencrypted data held by the company is assumed to have leaked.
* Fines are increased if if can be shown the company knew about the leak for more than 30 days before admitting it publicly.
With something like this hanging over them, companies:
* Might think twice about keeping data they don't really need,
* Might encrypt data at rest to make it harder to steal.