(no title)

> Why aren't costs involved with a mitigation actual damages?

They are. If you ever look at the damage caused by a hack it's in the millions and that's because they're including the time used to investigate and repair and mitigate further attacks is included.

“I want to drive my car without airbags, but I have all these other stupid people on the road who might hit me, so I have to invest in airbags. Maybe I should just preemptively sue them for forcing me to invest in my safety.”

> Sure it is. Money was spent that wouldn't have been if the situation didn't happen.

There are two problems with this.

First, for normal damages, there is some limitation on the costs. If someone breaks the lock on your door and does nothing else, you replace the lock, damages of maybe $40. If someone gets into your servers, you what? Spend ten minutes to check the logs and rotate keys? Wipe and rebuild all the servers? Does the reasonableness of that depend on whether that's an automated process or a manual one? Maybe you should delete your entire code repository and have it rewritten from scratch, in case knowledge of the code could have helped some attacker? There is no upper limit to the amount of resources you could spend investigating something, and then companies with unlimited resources would effectively get to use it as a cudgel against someone who embarrassed them, because $10M is nothing to them but is a life-destroying amount of damages to some kid who made a mistake.

It's like claiming that someone broke the lock on your door so now you're not sure if someone might have been inside and you have to strip the whole building to the rafters to check if someone has planted a listening device or hidden some crypto mining hardware inside the walls, even though you're a company that sells tile and carpets.

Second, if doing the latter was in some way actually justifiable then the company should be periodically doing it anyway, because if a vulnerability existed then it could have been exploited whether anyone was detected or not, so if spending that level of resources could be justified "just in case" then it isn't money that was spent that wouldn't have been if the situation didn't happen. Unless they're full of crap that all of it was actually necessary.

Physical metaphors rarely work for software.

In your scenario, someone _could've_ broken the lock because you're renting a lock from a locking agency Lock Engine, who copied a lock design from LockPress, and LockPress decided not to mail them design flaws anymore.

In the real world, vulnerable locks don't ever get fixed. At worst, locks get recalled, and you get your money back. Lock designs don't get shared freely, and if they do, there is no expectation of informing people that may have copied designs of potential flaws.

If your house got broken into, you should sue Lock Engine, because they're not providing the service you're paying for. Suing LockPress for the lock design Lock Engine decided to copy wholesale is pure nonsense.