A problem of incentives. How can we fix it?

Advertising tied to liquidated damages.

1. Any company handling PII must prominently advertise a amount of money per user they must pay in cash in the event of a data breach. This is a mandatory minimum payment and does not preclude subsequent lawsuits on specific damages.

2. Any claim of security or privacy must prominently advertise that amount earlier and in larger text than any other statement: “We provide 25 cents of security.”

3. In the event of data breach, your first notification must inform all affected partys and you immediately become tentatively liable for your data breach amount. Any affected party not notified in the initial disclosure receives 3x damages in the event their data was lost.

4. You may disclose to partys that you now know they are not affected. In the event that their data was lost they will receive 3x damages.

5. In the event of a data breach, you must issue your first notification within 1-7 days of when you discover it or are informed of it. Failure to do so constitutes a first notification to 0 partys, so you become liable for 3x damages to all users.

6. A data breach of any vendor you supplied PII to constitutes a breach.

1 and 2 align marketing with capability. 3 and 4 prevent underreporting. 5 prevents late reporting. 6 prevents diffusion of responsibility or the creation of scapegoat entitys and incentivizes only using vendors who properly track data provenance so their lawyers can tell your lawyers your users are unaffected.

For years, I've been trying my best to stay low-key when it comes to my personal information on the internet. I don't create new accounts, I never cross-login with my email address, I don't use phones. Certainly not perfect, but a lot of times I'm preferring privacy over convenience.

At the same time, my government and society at large is pushing more and more for "digital everything". It's great when it works. But to me, every new service translates to a new opportunity for my data to be leaked.

I think one reason why we're still seeing so many breaches is that security is hard and thus expensive - and on the other hand, other than customer push-back, companies or other providers have pretty much nothing to worry about when their data gets extorted. To me, this is impossible. When I give my private data to them, I'm giving them something very valuable. If being careless with that value basically has no consequences, the incentives to care are low.

We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be persecutable, and the affected parties need to be given a right for compensation. Of course, that's not going to happen. It would be difficult to implement in practice, if at all possible. But as long as there is no monetary incentive for data holders to be as careful as possible, the laxness is going to continue.

So at the risk of sounding incredibly apathetic toward something that I'm sure is probably a massive headache for some people somewhere...

I'm a millennial and I've been told probably hundreds of times by this point in my life that my data has been breached. Not a single one of those times was there a) anything truly actionable for me to do about it[0] or b) a single negative impact to my actual life. In anyway. At all.

People were talking about the Equifax breach a decade ago like identity theft was going to become an absolutely routine part of daily life for +90% of people. That didn't happen, at least not for me.

My point is: I understand that this is a topic that nerd communities like HN are well-aligned on—data collection bad, data breach bad, I get it. But does it actually matter?

Every single one of us have had our data harvested by tech giants every second of every day for absolutely decades and neither I nor a single person I know in real life have ever had any negative consequences, either because of the collection itself or from the inevitable and seemingly continuous breaching of that data. Every single website, from the random indie shoe website I purchased from one time to multiple health insurance companies, have breached my data, over the span of decades, and from all appearances it has had absolutely zero effect that I can actually point to in real actual life.

So I'm becoming a bit of a skeptic on this item of quasi-religious dogma that y'all all seem to recite the same position on. Does the emperor perhaps have no clothes? Do we all just fear "data breaches" because we've been told to fear them by people who sounded smarter than us?

I need y'all to hit me with some scary anecdata about what happened to your hairdresser's cousin's ex-husband's dog—anecdata with no citation that I obviously can't even verify isn't hallucinated by a GPT, but should clearly accept as valid because "ooooh data breach bad"—because without that the propaganda patina on my brain is wearing a little thin.

[0] (I use a password manager to guarantee that I'm not sharing passwords between logins, so really the only thing I could do in response to a data breach disclosure is rotate the password on the breached account. But that only matters if they were storing my password in plaintext right? I certainly can't do anything about my data being out there, and it's too late for closing that account out to prevent anything.)

I found I had exactly that issue ~3 months ago. A particular government department had their systems hacked and 1 of my email addresses became public along with 10s of thousands of other users. That in itself was bad enough except that this particular department had known about the breach about 2 months earlier and to make matters worse they had not been aware that the breach had occurred back in June 2025.

<We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be prosecutable, and the affected parties need to be given a right for compensation>

I 100% agree with you here. The trouble is, the government which are often the ones to push for major court-issued penalties when corporations stuff up, don't want to be held to the same level of scrutiny and penalty. Go figure

As usual, the answer is never "collect less data."

That's the only sensible approach. It's the one that I use, but then, I care about the users of my software, and I don't make any money from their PII.

These days I treat other people's data like it's a live hand grenade. Case in point (bit of a shameless plug here :) I'm working on an App called Hockeytastic. It's an ice-hockey stickhandling app that my son's been using for months: the engine is solid but it looked like shit. However, his coach told me to get it on the app stores and sell subs. That meant I needed to clean it up, build a DB, store stuff etc.

Anyway, working with Google and Apple I realised that I quite literally do not need to store anything identifiable. The only identifier I store is the Apple id and the Google id and unless you steal those and then hack Google and Apple, they are utterly useless.

I do not store emails, names, addresses, nothing. That's the way I want it.

If the data is ever breached, the only thing hackers will see are many many instances of Connor McDavid, Nate Mckinnon and various other famous NHL player names :)

If more companies treated personal data like it was toxic, we'd have less issues with breaches, however, I see it in my day job where the marketing people want to take as much data as possible, all the time!

I have a custom domain for my emails with catch all. When I create an account somewhere I just use <name of the service>@my-domain.com

Can I find out if any of my emails are in leaks with a service somewhere?

Is there ANY business motivation for any corporation to open such information up sooner than later?

At this stage just expect that every accounts will get leaked or rooted, it's a matter of when, not if...

Use varying email `plus addressing` (john+am2604@foo.com), varying passwords or passkey and 2FA on anything remotely important (use of your identity, not just financials).

Not to spoil the surprise but it will get much MUCH worse. Reason: sloppers. Anyone who's dealt with security and has looked into how all the slop agents work can understand how catastrophic it is from a security perspective. The "yes" button on "I trust the authors" is what unlocks the gates of hell.

there will be more data breaches.

Google and Apple are throttling hotfix updates (for app developers) as tons of code pushes to their infra (by vibe coders) is straining their system.

The are fixing this by throttling updates to minimum 3 days review period.

so good luck fixing the vulnerability or data leaks in your apps.

>why is it still needed?

It's not needed. There are already alternatives that could take its place. Some of them are able to actually show you what data leaked instead of leaving you blind of what was actually included in the breach.

[dead]

"Today, I loaded the 1,000th data breach into Have I Been Pwned. Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed?"

Maybe it isn't needed

Originally HIBP and other websites used data breach dumps to solicit further data collection^1, e.g., with a fear-based, clickbaity title like "Have I been pwned?"

Maybe HIBP serves the author, maybe that's why it's "needed"

For example, it brings him notoriety

For example, he can promote his other cybersecurity website via HIBP and paid speaking engagements

The author has expressed dissatisfaction that companies are being penalised for data breaches through class action litigation, including any compensation users might receive as part of these settlements

He believes there is no user injury

https://www.troyhunt.com/data-breaches-class-actions-and-amb...

If that's his position, if he believes users are unharmed by data breaches, then what's the point of HIBP

Is it to support the companies who are collecting data and then being breached (not the users to whom the data belongs)

1. Data collection being the root cause of the data breach problem