21 April 2025

Let’s Flip the Script on These Data Breaches

“Your data has been compromised.” These five words have become so common in my inbox that they’ve almost lost their capacity to alarm me anymore.

The first time I ever saw this announcement, I realised that I’d probably need to quit my day job just to reset passwords and monitor the affected accounts. The email might as well have said, “Congratulations, here’s an unpaid part-time job for you.”

The Challenge

As a Technologist, I’ve seen data breaches from both sides of the corporate firewall but it wasn’t until I received my own Apple security report earlier this year, showing my personal information had been exposed in 132 separate breaches across companies I trusted, that the absurdity of our current framework for data breach accountability truly crystallised for me.

We’ve created a rather bizarre reality where the corporations we trust with our data can lose this very sensitive information we give them and then outsource the fallout to the same people whose data they’ve exposed. You could liken it to a bank being robbed and then asking its customers to track down the money themselves while offering them a free pamphlet on “How to Spot a Bank Robber.”

Yes, I’m aware that some governments and their fiscal oversight bodies already impose financial penalties on the companies that get consumer data breached, however, we all know those funds rarely make their way back to the affected consumers. Instead, they disappear into general treasuries while the consumers are left scrambling to freeze credit reports, change passwords, and monitor accounts. All unpaid labor that we’ve never signed up for!

The fundamental flaw in this approach (as I see it), is misaligned incentives for these companies and so they continue to treat data breaches as PR problems rather than the colossal failures of consumer protection and abuse of trust that they really are. The government penalties, I’ll admit while sometimes substantial, have become just another cost of doing business, i.e. a line item that never properly compensates those whose data was actually compromised.

The Solution – as I see it

What would truly benefit consumers is a radical rethinking of breach accountability with practical solutions. I may not be a government expert but I’d offer this revolution approach to dealing with this challenge:

First, a direct compensation framework. When people’s data is breached, the affected people should receive automatic financial compensation based on the sensitivity of the exposed information. Was it your NI number (that’s social security for the North American folk) exposed? That’s £1,000 please – wire it to the relevant person’s bank account along with a text confirmation to them. Credit card details? That’s £650. Email and password? That will £400 please. I think this system would create immediate financial consequences that scale with each affected consumer.

Second, mandatory restoration services. Beyond notification, the companies should fund independent “data restoration specialists” who handle the entirety of the post-breach cleanup. From monitoring dark web sales of people’s information to executing account changes and security freezes on their behalf.

Third, portable breach histories. They should be required to maintain accessible records of all previous breaches, and these should be transferable when they’re acquired by or merge with other companies. This will be sure to prevent the all-too-common scenario where responsibility evaporates through corporate restructuring.

And finally, the companies should face escalating penalties for retaining sensitive data beyond demonstrably necessary timeframes. The less unnecessary data they store, the smaller people’s data exposure when (and not if) these companies’ data silos are breached.

The status quo isn’t just ineffectiv. It’s fundamentally unjust. We wouldn’t accept restaurants charging us for the privilege of cleaning their kitchens after a health code violation. Why then should we normalise doing exactly this with our digital lives? I’ve had some of these companies offer me a free year’s worth of credit monitoring as a goodwill gesture but what’s that going to do for permanent vulnerability? We all have better things to do with our time than becoming unpaid security administrators for the big corporations that failed to protect our data in the first place.

I advance that the cost of breaches should fall squarely on those who failed to protect our information and not on the people who trusted the corporations with their data in the first place.