You can tokenize the data [1], you can dispose of it after you've used it for the business process [2], you can vault it with a custodian. Lots of solutions. I have implemented more than one in the consumer credit space.
Regulation is usually the answer. More? Better. It ain't gonna regulate itself. Storing and processing data securely is not hard. It is work though. Breaches happen because systems and corporations don't care [3], they aren't exposed to the cost of data loss, as there is none.
Would you prefer the business not store the data, but the government attests to your identity (as part of a proofing request and flow) and also stores the receipt and AML/KYC metadata? There are legal and compliance requirements in the finance space unfortunately, and those are not going away. If identity is a requirement, a system must attest to it, and logs of some type must be created to document the ceremony.
You don't think there are brand and reputational risks with data breaches, or cost to notify and provide free credit reporting?
Breaches only happen because corporations "don't care"? I guess the US government doesn't care, then?
Event Description Date Agency Number of People Affected
-------------------------------------------------------------------------------------------------------------------------
SolarWinds Cyberattack December 2020 Multiple federal agencies Approximately 18,000
U.S. Office of Personnel Management (OPM) Breach June 2015 Office of Personnel Management 21.5 million
U.S. Department of Veterans Affairs Breach May 2006 Department of Veterans Affairs 26.5 million
Georgia Secretary of State Office Breach November 2015 Georgia Secretary of State 6.2 million
Virginia Department of Health Professions Breach May 2009 Virginia Department of Health 8.3 million
Texas Attorney General Office Breach April 2012 Texas Attorney General 6.5 million
Department of Transportation Data Breach May 12, 2023 Department of Transportation 237,000
National Public Data Breach (reported) August 2024 National Public Data Nearly 3 billion
Based on my experience in the space, I can say with some confidence that there is very low brand or reputational risk (or it is so low as to be immaterial) with regards to a breach. $1M-$3M in most cases, which is cost of business (notification campaigns, buying credit monitoring, etc).
Edit: Your examples are outliers, based on the data, and those costs are not brand and reputational, they are settlements or fines (which are rare). If you want to move goal posts, that's a choice. No one is going to stop using Equifax for consumer reporting data or Target because of their cybersecurity posture (ie brand and reputation damage).
Heartland Payment Systems - Although the company did not go out of business, it suffered significant financial losses from a major breach in 2008, leading to over $110 million in settlements and fines. This incident severely damaged its reputation and operational capacity.
Target - The retail giant faced a massive data breach in 2013, which compromised approximately 40 million credit and debit card accounts. While Target did not go out of business, the breach led to substantial financial losses, including a $18.5 million settlement with state attorneys general.
Equifax - The credit reporting agency experienced a breach in 2017 that exposed sensitive information of about 147 million people. Although Equifax remains operational, the breach resulted in over $700 million in settlements and significant reputational damage.
MySpace - While MySpace did not directly go out of business due to its data breach in 2016 (which affected 360 million accounts), it lost significant market share and relevance, ultimately leading to its decline as a social media platform.
FriendFinder Networks - This adult entertainment company faced a severe breach in 2016, affecting 412 million accounts. While it has not officially declared bankruptcy, the breach contributed to its ongoing struggles in a competitive market.
Ashley Madison - The dating site for extramarital affairs suffered a data breach in 2015 that exposed the personal information of millions of users. The fallout from this breach led to lawsuits and significant reputational damage, severely impacting its business operations.
NortonLifeLock (formerly Symantec) - Following a series of breaches and security issues, the company faced declining revenues and market share, leading to a significant restructuring and changes in business focus.
> Target - The retail giant faced a massive data breach in 2013, which compromised approximately 40 million credit and debit card accounts. While Target did not go out of business, the breach led to substantial financial losses, including a $18.5 million settlement with state attorneys general.
A $18.5m fine for a company with around $25b in quarterly revenue.
> Equifax - The credit reporting agency experienced a breach in 2017 that exposed sensitive information of about 147 million people. Although Equifax remains operational, the breach resulted in over $700 million in settlements and significant reputational damage.
Yeah, take a look at Equifax's financials. It has done nothing but go from strength to strength since 2017, and the financial impact of that incident is nothing more than a speed bump.
Equifax has more than doubled its market cap, grown its revenue by over 60% and has remained extremely profitable at all times since then.
Anyone who bought Equifax stock in late 2017 has done very well.
