In Massachusetts, 201 CMR 17.00 sets a $5000 per violation fine for losing personal information. The law itself is poorly written, so it's unclear if a violation is per individual, or per incident. I would love to see it enforced per individual, and for our AG to go after and destroy Anthem, and all the other companies that keep getting away with this.

If enough companies are destroyed, eventually they will start taking security seriously.