Two high profile data (Sony’s Playstation and Epsilon) breaches have grabbed headlines lately because of their recency, data breach is a major longstanding problem for consumers, businesses and government. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached due to the roughly 2,460 data breaches made public since 2005.5 According to a 2010 Ponemon benchmark study, the cost of data breaches to businesses – in terms of preventing, detecting, and notifying individuals of breach, as well as legal defense and lost business opportunities – have risen considerably over the past several years. Consumers whose personal information is lost or stolen in data breaches face increased risks of identity theft, spam and phishing attacks, reduced trust toward services on which they depend, and sometimes humiliating loss of privacy over sensitive medical conditions.
Given the growing scale and persistence of these high profile data thefts, it is appropriate to question whether enough is being done to solve the data breach problem. Although some state and federal regulations require companies to notify affected consumers of a data breach, the financial and reputational cost of notification may not provide many companies with adequate incentive to properly protect consumers’ data in the first place. Any federal action on data breach should be a mix of requirements and incentives for both companies and government bodies to install sufficient front-end data security measures, to minimize their holdings of consumer data that is no longer necessary for a specific, legitimate purpose, and to develop structures that monitor and control where consumer data resides. Finally, although data breach is an important problem, new rules on data breach would be best addressed as one part of comprehensive baseline consumer privacy legislation.