Why Possession of Personally Identifiable Information Should be Taxed

Companies love holding on to information, the more personal it is the more valuable it is to them. And they get hacked. The more data, the juicier the target, hence we regularly see big names like Discord or DoorDash or Quantas Airways or Volvo or AirFrance/KLM or TransUnion getting hacked with personally identifiable data (PII) stolen. All of these were breached in the last 12 months, and most of them were holding on to data they probably didn't need to.

Holding on to PII has very little downsides for companies. Even once you loose it in a hack, it usually suffices to blame the hackers and carry on with business as usual. The companies listed above exposed huge amounts of PII to hackers, yet their business remains largely intact. The costs have been paid for by the general public, who get phished, hacked or their identity stolen as a direct result of such breaches.

Hence it only seems natural, that regulation should be introduced that taxes companies for holding on to PII. Holding on to PII creates a risk for the general public, the taxes can be used towards mitigating bad outcomes for the public, or state-level security programs that audit companies.