From Bruce Schneier’s “Identity-Theft Disclosure Laws” (Crypto-Gram Newsletter: 15 May 2006):
Disclosure laws force companies to make these security breaches public. This is a good idea for three reasons. One, it is good security practice to notify potential identity theft victims that their personal information has been lost or stolen. Two, statistics on actual data thefts are valuable for research purposes. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information — or to refrain from collecting it in the first place.