It's not possible to 100% guarantee that data will never leak, but it's entirely possible to 100% guarantee that the company will cover the full costs of a leak. If that was somehow a legal requirement, everyone would go out and buy insurance for it and then life would go on, probably with additional emphasis on security.
I have a different position on that. My perspective is that if a company doesn't act negligent, follows all legal procedures and industry standards regarding data security then why should it be made to pay for damages caused by a third party.
It didn't cause the damage, it's been the criminals who did that. They should be held accountable for this.
That seems pretty reasonable too. I like the idea of making the business liable regardless because it more or less automatically optimizes the combined cost of security and losses. Companies will in theory spend money on security until each dollar spent mitigates less than a dollar in losses, then stop.
The trick, of course, is making sure companies estimate their risk properly and don't just screw everyone over by underspending on security and then going bankrupt when hacked. Mandatory liability insurance could help with that, since insurance companies basically exist to assess risk in something like a realistic fashion.
So you think that startups with hockey-stick growth should have to design systems which are impervious to extremely sophisticated criminals? That seems unlikely.
Edit: also, the main risk here is password reuse. How is Yahoo supposed to estimate that and why are they on the hook for user's bad security practices?
You're forced to spend money to mitigate losses. If you can do something to decrease the losses, or the likelyhood of suffering one, then the insurance will cost less.
Right, so your spending will increase up to the point where your ROI is 1:1, then you'll stop. That point will be long before you reach imperviousness.
Companies seem to hold on to extra data because, "why not?" Previously, they were limited by sorting and storing physical documents. Let's say you changed your address. In the past I imagine most companies would update their file (discarding the old address, because that would cause confusion) and nowadays I can see companies keeping the old one around because it might be useful later.
I would like a scenario where companies choose not to store data not immediately useful to them. They already have incentives to store old data (it's cheap, audits, monetizing later, direct advertising, etc). The best tool I can think of is liability.
I don't think the balance between companies and individuals are always equal. If I want to sign up for cable TV I have to agree to their contract (I don't get to negotiate terms), which commonly includes; giving them your birthdate or social security number, giving up the ability to sue by agreeing to arbitration, agreeing to a 12 month contract, etc. Yes, I'm not forced to agree to that contract and can go without cable (and I can see why they need much of that info--at least upfront), but the limited alternatives (and less-than-diligent consumers) allow companies to add creepy data collection without much pushback.
