Today, 47 states require companies to notify consumers of data thefts, including Kentucky, which enacted such a law this year.
via A Contrarian View on Data Breaches – WSJ (pay-walled, try accessing via google, plus there are lots of good responses there).
The idea that it’s O.K. not to notify consumers when their personal data has been stolen is a truly messed up way of looking at things and a perfect example of why government needs to get all up in business’s … uh … business. I can understand withholding information in some situations: ongoing criminal investigation, nation-state attacks on utilities, even breaches that caused a loss of intellectual property not relating to customer data. But once consumer data is involved it can mean a lot more of a headache for your customers than just replacing their credit card. Which, by the way, I’d be happy to do so as to avoid dealing with fraudulent charges should they appear. There is not only the risk of credit card fraud but also identity theft.
And if any company thinks they’ll be safer not notifying the public they’re in for a world of pain. Doing that means you have actively withheld information related to a crime (credit card fraud/identity theft, not your lame security). If you think that’s the way to go you should seek out the opinion the major automobile manufacturers.