Every time a massive data theft or breaches happens, I keep kicking myself for not starting up that list of all such compromises that I promised myself I would start (and maintain here on ZDNet). The last one of these, which I think is also the largest, involved 26.5 million records containing the personal information of U.S. veterans. I don't think most people realize how bad the situation is which is why I thought a list would have more impact. The problem is compounded in some cases by the failure to report the theft or breach on a timely basis. In the case of the U.S. veteran data, the Veterans Administration (VA) didn't report the data for nearly three weeks.
Whereas public disclosure requirements exist in some states like California, they don't in others. Things are less organized at the federal level where at least two separate bills are under consideration by the Senate and at least another two are under consideration by the House. In the House, the two forms of relevant legislation that are varying stages of devlopement are the Financial Data Protection Act of 2006 (House Commerce Committee) and the Cyber Security Enhancement and Consumer Data Protection Act (House Committee on the Judiciary). The former is considered a joke by some because of the way disclosure is only triggered in the event that a breach is "reasonably likely to result in substantial harm or inconvenience" to consumers whose personal information was included in the breach. Similar "toothless bills" are being considered in states like Arizona. Not surprisingly (some lobby is obviously at work here), in a bit of foxes watching the henhouses, the highly subjective measurement of harm is left to the data custodian to conduct.
According to Wired Magazine, Microsoft is on record as favoring the low threshold:
In 2002, the Federal Trade Commission charged Microsoft with falsely claiming that consumer data held in its Passport electronic wallet service was highly secure. The company settled, agreeing to bolster Passport's security......Speaking to a roomful of privacy advocates, [Microsoft lawyer Michael] Hintze outlined a detailed plan for a federal law that he said would protect consumers while clarifying the responsibilities of corporate America.....Microsoft prefers that customers be notified only when a company determines there's a "reasonable risk of a material harm happening to a consumer," said Hintze. "If the trigger is too low ... people will get notice fatigue. People will get notices all the time."
To that I say, fatigue me. Notify me. Immediately. I don't know about you, but when I find out that someone who I've entrusted my personal information to loses track of that information, I want to know so I can take my business elsewhere. And there's nothing like the risk of consumer inflicted financial penalty to scare the daylights out of any business.
What does any of this have to do with my headline. Well, I'm not going to bother making that list. That's because the Privacy Rights Clearing House already has one that lists the breaches that have been reported. There's no telling what ones haven't been reported. But I'll venture a guess that the list of unreported incidents far outnumbers the list of reported ones. Based on the size and frequency of these breaches (as well as brand names involved -- brand names we assumed we could trust), theft of your identity doesn't appear to be an "if" question. If it hasn't happened already, it's just a question of when. A very sad state of the state if you ask me.