If "adequate" protections are missing: Pay every breached user $10.
That way such a breach gets a hefty price-tag and devs/PMs could argue with management, that it is economically feasible to implement these measures.
I know of a PM, that tells devs, that report security-problems inside his product, that they should not care, but instead finish "that news shiny little thing" and that that is their job in his opinion, not detect some strange security-problem.
Well, what would happen would be, any sane bushiness would take out insurance, and the insurance companies would mandate / audit security best practices.
If a shop wants to insure it's stock, the insurance company tell them what they need. An alarm? Big metal shutters? A night guard. Depends what you are guarding.
In practice, a password is pretty valuable. Not to the company, but the loss to the user can be pretty significant.
In the UK, the Data Protection Act does allow fines against companies that fail to encrypt specific information (inc passwords). They handed out 2.5MM in fines last year, but I think they mostly go after people selling data, rather than just messing up and losing it.
It would be next to impossible to track down the majority of users, and I doubt each user would like to fork over more personal info for just $10. Paid money would be very small vs amount of accounts.
If "adequate" protections are missing: Pay every breached user $10.
That way such a breach gets a hefty price-tag and devs/PMs could argue with management, that it is economically feasible to implement these measures.
I know of a PM, that tells devs, that report security-problems inside his product, that they should not care, but instead finish "that news shiny little thing" and that that is their job in his opinion, not detect some strange security-problem.