The Post is right: Identity theft is serious business [editorial, June 30]. But it is incorrect to assert that laws requiring businesses to notify consumers about lost or stolen data are resulting in notices about "trivial" breaches. No law requires businesses to alert consumers unless sensitive data such as Social Security numbers have been exposed.
Businesses argue that they should be given leeway to decide whether a breach is serious enough to tell consumers about. However, some businesses have different ideas about when consumers are at risk. For example, CitiFinancial recently claimed that 3.9 million consumers were not at risk of identity theft after the loss of its backup tape containing Social Security numbers, even though it had no idea where the tape was and the data was not encrypted.
Why should consumers have any confidence that businesses will do a good job of evaluating risk? The companies' track record on keeping data safe has been sloppy. When consumers' unencrypted, sensitive information has been breached, they need to know about it so they can take steps to protect themselves.
Indeed, more must be done to protect against identity theft. Stricter regulations and legal liability may be a good start, but they're not enough. What's needed is an information protection rating system, similar to credit ratings for stocks and bonds, that ranks credit companies on their security practices. As a consumer, I feel helpless when I hear of security breaches. But if I knew which companies offered the most security, I would use their services. Along with regulations, public ratings would offer credit companies enough incentive to protect my information.