A healthcare provider suffers a breach exposing medical records of 10 million patients. Years later, victims discover their medical histories used for insurance discrimination and identity theft, long after the news cycle moved on and the company paid a modest fine. A financial services breach compromises credit card numbers, social security numbers, and account credentials. Affected individuals spend months disputing fraudulent charges, restoring credit, and dealing with cascading problems as stolen information enables new breaches. A social media platform's breach exposes passwords many users reused across sites, turning one company's security failure into vulnerability affecting accounts everywhere. Another organization experiences a breach but comprehensive response—rapid notification, free monitoring, zero-liability protection—minimizes harm and maintains trust. Data breaches have become routine, affecting billions of people, yet questions about who bears responsibility for harms, what obligations breached entities have to victims, and whether current security standards are adequate remain deeply contested.
The Case for Breach Prevention as Fundamental Obligation
Advocates argue that data breaches represent corporate negligence that should trigger severe consequences because harms affect victims for years while companies treat breaches as inevitable cost of business. From this view, organizations collecting personal data become custodians with fiduciary-like obligations to protect it. When breaches occur, they result from: collecting data that was not necessary, retaining it longer than needed, failing to implement adequate security, ignoring known vulnerabilities, prioritizing growth over protection, and treating security investment as optional expense rather than fundamental requirement. The consequences for victims are profound and lasting. Identity theft takes months or years to resolve, damaging credit, blocking legitimate transactions, and creating stress and anxiety. Medical identity theft results in incorrect information in health records, potentially affecting treatment. Financial losses from fraud exceed what institutions reimburse. Reputational harm from exposed information cannot be undone. Victims face cascading breaches as stolen credentials enable attacks on other accounts. From this perspective, current breach responses are inadequate theater: companies offer credit monitoring worth little when actual harm occurs years later, notifications provide minimal actionable information, liability is capped or non-existent for most harms, and fines go to governments rather than compensating victims. The solution requires: treating data security as strict liability where breaches trigger automatic compensation regardless of security measures taken; criminal prosecution of executives whose negligence enabled breaches; mandatory insurance covering full victim compensation; data minimization requirements preventing collection of data organizations cannot protect; security standards with certification and regular audits; and victim rights including compensation for time spent remedying breach consequences, not just direct financial losses.
The Case for Breach Inevitability and Proportionate Response
Others argue that perfect security is impossible and that breach liability should focus on negligence rather than outcomes, recognizing that determined attackers eventually succeed despite reasonable precautions. From this perspective, organizations investing heavily in security still suffer breaches because: sophisticated attackers have unlimited time to find vulnerabilities, zero-day exploits target unknown weaknesses that cannot be prevented, insider threats cannot be eliminated entirely, supply chain compromises affect even careful organizations, and scale means that even small vulnerability rates affect millions when data volumes are large. Treating every breach as negligence would make data-dependent services impossible or prohibitively expensive. Moreover, breach harms are often exaggerated. Most stolen data is never misused. Credit monitoring and fraud protection prevent most actual losses. Identity theft is declining as security improves despite more breaches. From this view, the problem is not breaches but inadequate response and disclosure: delays in notification that prevent timely action, minimal information about what was compromised and what risks exist, insufficient support for remediation, and lack of transparency about breach causes. The solution involves: requiring rapid notification with detailed, actionable information; providing comprehensive remediation assistance including credit freezes and monitoring; establishing baseline security standards that provide safe harbor from liability when followed; focusing enforcement on clear negligence like ignoring patches, failing to encrypt sensitive data, or retaining information unnecessarily; and accepting that some breaches are inevitable regardless of security investment. Liability that treats all breaches as catastrophic failures regardless of circumstances would drive organizations toward minimal data handling that harms users by preventing beneficial services or toward accepting massive insurance costs passed to consumers.
The Notification Timing Problem
Companies often delay breach notifications for weeks or months, citing investigation needs, yet victims cannot protect themselves until notified. From one view, delays are inexcusable. Organizations should notify immediately when breach is detected, even if full scope is unknown, because delay prevents affected individuals from changing passwords, freezing credit, and monitoring accounts. Laws requiring notification within 72 hours demonstrate speed is achievable. From another view, premature notification without understanding what was compromised causes panic and provides incomplete information. Organizations need time to determine breach scope, identify affected individuals, and prepare meaningful guidance. Notifying that "we had a breach but don't know what was taken or who was affected" serves no one. Whether speed or accuracy should be prioritized determines notification requirements.
The Credit Monitoring Illusion
Breached organizations routinely offer credit monitoring, which alerts individuals to credit inquiries or new accounts but does nothing to prevent identity theft and provides no help after theft occurs. From one perspective, credit monitoring is inadequate response to serious breaches. Organizations should provide: compensation for time spent remedying breach consequences; liability coverage for losses that occur; identity restoration services with professional help; credit freezes that prevent unauthorized access; and actual monitoring of dark web and fraud forums where stolen data appears. From another perspective, credit monitoring provides reasonable response to low-probability risks. Most breach victims never experience identity theft. Comprehensive coverage for potential but unlikely harms would be enormously expensive, costs ultimately borne by consumers through higher prices. Whether breached entities should compensate for possible harms or only actual losses determines response obligations.
The Cascading Breach Problem
Breaches cause cascading failures when stolen credentials work across sites because users reuse passwords, when stolen information enables social engineering for further breaches, when compromised systems become attack platforms targeting others. From one view, this demonstrates that breach responsibility should extend beyond immediate victims to those harmed by subsequent attacks enabled by the original breach. Organizations should be liable for reasonably foreseeable cascading harms. From another view, holding organizations responsible for how others misuse stolen data is unreasonable. Users reusing passwords bear some responsibility. Subsequent attack victims should seek remedy from their own service providers. Whether breach liability should encompass cascading harms or only direct consequences determines scope of responsibility.
The Long-Term Harm Challenge
Breach harms often emerge years after the event when stolen data is used for fraud, credit applications, tax refund theft, or medical identity theft. By then, breach notification periods have expired, credit monitoring has ended, and establishing causation is difficult. From one perspective, this temporal mismatch reveals that breach responses are inadequate. Organizations should provide monitoring and liability coverage extending indefinitely because harms from stolen data can occur anytime. From another perspective, indefinite liability for breaches is uninsurable and would make any data handling impossible. At some point, responsibility must end. Whether breach obligations should match harm timelines or whether practical limitations require time-bounded responses determines what breached entities must provide.
The Class Action Settlement Problem
Breach class actions typically settle for amounts providing pennies per person to class members while paying millions to lawyers. From one view, these settlements demonstrate that legal remedies are inadequate and that statutory damages per affected individual are necessary to ensure meaningful compensation. From another view, they reflect that most people suffer no actual harm from breaches, making large individual payments unjustified. When millions are affected but few suffer losses, compensating everyone equally would either bankrupt companies or provide windfalls to those unharmed. Whether breach compensation should focus on actual damages or provide statutory amounts regardless of individual harm determines what remedies are appropriate.
The Question
If data breaches affecting hundreds of millions of people result in identity theft, financial loss, and lasting harm to victims while breached organizations pay modest fines and offer inadequate credit monitoring, does that prove breach liability is too weak, or does it reflect that most breached individuals suffer no actual harm making comprehensive compensation impractical? When organizations treat breaches as inevitable costs of business rather than catastrophic failures requiring prevention at all costs, whose interests does current liability framework serve: companies seeking to minimize consequences or victims bearing risks and suffering harms? And if perfect security is impossible and some breaches will occur despite reasonable precautions, should liability focus on security adequacy or breach outcomes, and who decides what security is reasonable when standards lag behind attacker capabilities?