Many, if not most, ordinary business transactions today require the sharing of some personal information. A person who uses a credit or debit card to buy a cup of coffee in the morning is giving the coffee shop his or her name, account number, and possibly a way to access even more information. The coffee shop needs to keep this information at least long enough to process the transaction. Whenever we let someone see our information, however, we run the risk that the person we want to show it to will not be the only person to see it. Leaks of personal information, both accidental and intentional, can lead to our information getting into the hands of persons whose intentions are not always benign.
Data security experts work constantly to find new and better ways to keep data secure. Unfortunately, complete or perfect security is something that may never happen. Data thieves work hard (and, too often, successfully) to find ways to evade new security measures. There is also the prospect of human error: a thoughtless, seemingly minor mistake can result in a release of data that is just as damaging as a deliberate theft.
While data security breaches may never be eliminated, steps can be taken to mitigate their impact. The first step for mitigation, of course, is knowing that a breach has taken place. Every U.S. state, plus the District of Columbia and Puerto Rico, has a law that requires businesses to provide notice of security breaches that result in the release of personal information. These laws set out the events that will trigger the notification requirements, and the form that the notice will take. The laws will also specify the parties to whom notice must be given (i.e. just the affected persons, or must state regulators also be notified?).