Comment by ziddoap

Have they ever issued a fine for 4% of revenue? That's the maximum fine possible, under the non-standard "higher maximum" category. This breach surely won't be given the maximum considering there isn't really anything noteworthy about it.

We should consider the maximum that has actually been issued, than subtract some off of that. You also have to subtract out all of the money they saved over the years of reduced investment into security.

I think that lands us squarely back into "cost of doing business" land.