This company is dealing in financial transaction data. Someone needs to hold it, and it can be deleted (especially when someone asks for it). I don't see how this particular situation advances your position.

For one they could split it into 'hot' data and 'cold' data that needs to be stored for legal and compliance reasons but that does not necessarily need to be part of the live set. That strategy alone would seriously limit the impact of a lot of these breaches.

I hadn't actually read your GDPR series, thanks!

Absolutely agree, and to further it I think this data liability goes beyond PII. Any data which could be used nefariously if publicly available is a potential liability if leaked - NDA'd documents, product roadmaps, source code of closed source software, private keys, pre-results earnings, the list is enormous.

With the shift in the economy from physical goods to IP I don't see why laws for physical goods storage, warehousing and safekeeping (eg. safety deposit boxes) won't be updated to include the digital equivalents in the not too distant future. And at that point I wouldn't want to be a Dropbox, EC2 or DigitalOcean unless I was very very sure of my security systems, never mind being a Facebook or Google.

Having a good definition of the data life-cycle is a very important step. A lot of companies only do CRU but forget about the D because they feel that more data is more value. As you correctly infer at some point in time the value of the data no longer outweighs the liability and it should be deleted, and long before that it should probably be moved to a much harder to reach system that contains historical data.