Data breaches, e.g. malware, network intrusions, or physical theft, that lead to the compromise of users’ personal data, happen often. The impacted companies lose reputation and have to spend millions of dollars providing affected users with identity and credit monitoring services. Users can suffer from fraudulent transactions and identity theft. At present, there are no mechanisms that both cover the risk from accidental data breaches and incentivise best practices that would prevent such breaches. This paper proposes a data breach insurance mechanism and the associated risk assessment technology to meet these goals. In so doing, we break from (failed) past approaches that seek to solve the problem solely through technology.