There's a fascinating conversation going on between Chris and Andy Steingruebl in the comments to Data on Data Breaches. In it, Chris writes:
If what we care about is reducing ID theft, then maybe all this effort about analyzing breach reports is a sideshow, since for all we know 80% of the revealed PII never gets detected as having been revealed.
Data breaches are not meaningful because of identity theft.
They are about honesty about a commitment that an organization has made while collecting data, and a failure to meet that commitment. They're about people's privacy, as the Astroglide and Victoria's Secret cases make clear.
We shouldn't allow the discussion to center on ID theft. It should center around the meeting of the minds, and the exchange of value.
That was my point of my privacy enhancing technologies talk: that we've got to look at these things as privacy issues, not just security issues.
Photo: "Handshake through TFT screen," by Henkster on Stockxprt.com.