The BNY Mellon breach story keeps getting bigger:

Ponemon Institute estimated that in 2007 companies spent an average of $197 per record following a data breach, which would put BNY Mellon’s price tag for this boondoggle at $886 million. But, in the wake of the breach that affected hundreds of thousands of Connecticut residents, Connecticut Attorney General Richard Blumenthal has pushed BNY Mellon to increase its credit monitoring guarantee from one to two years and provide $25k in identity theft insurance with no deductible. And even that’s not enough for plaintiff’s attorneys, who are clamoring for BNY Mellon and People’s Bank, the Connecticut institution that had the largest number of affected customers in the breach, to spring for seven years of identity theft protection.

I hate to say it but what is to stop companies from saving cash just to pay insurance and identity theft protection post-incident? Is the cost of prevention higher? If so, then keeping cash liquid instead of investing in identity theft prevention will be hard to argue against.