> Avaya. will pay a $1 million civil penalty;
> Check Point will pay a $995,000 civil penalty; and
> Mimecast will pay a $990,000 civil penalty.
With the exception of Mimecast, these are companies that are bringing in billions of dollars in revenue annually. How is this supposed to deter them?
Percent of revenue fines regressively to margin.
10% of Walmart's revenue is 4 years' profits. 10% of Equifax's is a few quarters'. Moreover, you'd have a bureaucrats' delight of companies splitting revenues across entities while courts have to litigate common control claims. Unless you have a good reason to punish low-margin businesses more heavily than high-margin ones, this is an inefficient scheme.
Better: fines based on damages, trebled.
Except damages for data leaks are kind of hard to compute, since in practice they're $0 until some of the data is provably used to cause some non-$0 worth of damage down the line.
Through private action, yes. Use statute to define damages as a function of number of people affected, type of data released and whether the company self reported or was caught, by the public or a regulator. Add enhancements if the company was reckless, the data was out there for longer than a month or if it was accessed by foreign adversaries.