I understand the emotional appeal of overselling the problem, but you'd get much better response with a $50K insurance policy than an obviously absurd $5M. Even $50K is sort of generous and probably generally more towards the worst case end of identity theft than the average case. It is plainly obvious to everyone that when Bob the upstanding middle class guy is hit by identity theft that Bob may experience great loss of money and time from his point of view, but that identity theft was not the one thing standing between Bob and $5M.
At scale $50K still adds up to a lot, and we'd probably have to cap it some other way too because at-scale breaches don't add up that far, because the system does in fact react to them. This particular breach would be a seven trillion dollar payout if we don't cap it, and the simple reality is that this breach, no matter how much pain it may eventually cause us, is not going to cause anywhere near seven trillion dollar's worth of damage to consumers, or the economy, or anything else. But $50K makes sense for isolated cases that don't get a coordinated response.
Why would you cap punitive damages? Sure, it won't be collected, but that's okay--this sort of failure should destroy a company that betrayed the societal trust. It should be a smoking crater when all is said and done.
We should go one step further and just terminate consumers that use companies that don't have good security. That way it will never happen again for sure.
I can get on board with this as soon as you figure out a way to require security training for the masses as opposed to the handful in charge of security.
If you get it to work, we can then proceed to get rid of police departments.
Not the person you replied to, but while I see your point, there should not be a cap to prevent companies from taking consumer trust for granted, especially at the scale and magnitude of companies that handle almost all American's information. If a person's SSN is pretty much a key to screwing that person's financial life up is not worth protecting correctly by these companies, these companies should be financially screwed too. In the current state, will Equifax be held liable for any identity theft that occurs from this breach?
I think we can probably all find a cap somewhere south of 1/3rd of the 2016 United States GDP for a single breach.
I mean, really, once you get past the amount of assets that Apple holds, it's all the same penalty anyhow: Instant corporate bankruptcy. Arguing about whether we penalize a company trillions of dollars or quadrillions of dollars is not really an argument.
At scale $50K still adds up to a lot, and we'd probably have to cap it some other way too because at-scale breaches don't add up that far, because the system does in fact react to them. This particular breach would be a seven trillion dollar payout if we don't cap it, and the simple reality is that this breach, no matter how much pain it may eventually cause us, is not going to cause anywhere near seven trillion dollar's worth of damage to consumers, or the economy, or anything else. But $50K makes sense for isolated cases that don't get a coordinated response.