Revisiting My 2006 Op-Ed on Data Security Failures

Back in 2006, I wrote an op-ed for The Washington Times titled Onus to Protect Identity, where I warned that identity theft was becoming an increasingly lucrative crime due to weak security measures by institutions that held sensitive personal information. At the time, high-profile data breaches—from government agencies to private corporations—revealed just how recklessly personal data was being handled.

Yet, despite the rising threat, my argument was that lawmakers and regulators were focusing too much on punishing identity thieves rather than holding data handlers accountable. I proposed a shift in legal and regulatory frameworks that would place liability on institutions that failed to properly safeguard personal information.

Key Points from My 2006 Op-Ed

1. Identity Theft Was a Crime of Opportunity

   • While the average bank robber stole about $2,500 per heist, identity thieves could extract $20,000 to $30,000 per victim.

   • Institutions holding personal data—banks, universities, government agencies, and businesses—were in the best position to prevent identity theft but had little incentive to do so.

2. Institutions Were Grossly Negligent in Handling Personal Data

   • I cited multiple egregious cases of mishandling personal information:

     • Berkeley’s exposure of 98,000 Social Security numbers from a stolen laptop.

     • A national tax firm in Ohio discarding customer tax returns in a dumpster.

     • Blockbuster Video leaving boxes of customer data—complete with Social Security numbers and birthdates—on a sidewalk.

   • The lack of consequences for these failures allowed such practices to persist, contributing to a growing epidemic of identity theft.

3. The Legislative Approach Was Misguided

   • Lawmakers were overemphasizing penalties for identity thieves rather than creating clear security mandates for those entrusted with personal data.

   • Simply increasing criminal penalties did little to prevent identity theft because the real vulnerability lay in institutions failing to secure data properly.

4. A Two-Pronged Solution: Regulations and Private Litigation

   • I argued for clear and enforceable data protection standards, including:

     • Immediate notification requirements when a data breach occurred (as California had pioneered).

     • Mandatory data encryption for sensitive information.

     • Stricter limits on the use and dissemination of Social Security numbers.

   • Beyond regulation, I advocated for the creation of a private cause of action, allowing victims of identity theft to sue institutions that failed to safeguard their data.

     • This would function similarly to consumer protection laws, empowering individuals as “private attorneys general” to enforce compliance through litigation.

   • To balance concerns about frivolous lawsuits, I proposed a safe harbor for companies that met a defined set of security standards—ensuring that only truly negligent entities would be held liable.

What’s Changed Since 2006?

Nearly two decades later, identity theft remains a pervasive problem, and the legal landscape has evolved in some ways—but not always in the direction I recommended.

✅ Adopted Measures:

• Mandatory breach notification laws: Nearly all U.S. states now require companies to notify affected individuals when personal data is compromised.

• Limits on Social Security number use: Government agencies and financial institutions have increasingly moved away from using Social Security numbers as primary identifiers.

• More stringent disposal requirements: Laws now require companies to securely destroy physical and electronic records containing sensitive information.

❌ Still Missing or Incomplete:

• No broad federal data protection law: Unlike Europe’s GDPR (which I think is misguided, but flagging it here nonetheless), the U.S. still lacks a comprehensive federal privacy and data security law, relying instead on a growing patchwork of state laws.

• No clear liability for negligent data handlers: The idea of allowing victims to sue for improper data security practices has not been widely adopted, meaning companies can still get away with weak protections as long as they comply with basic breach notification laws.

• Identity theft has evolved into synthetic fraud: Criminals are now creating entirely new identities using AI-driven techniques, making fraud detection even harder.

• Tech companies have become new data guardians: In 2006, the biggest risks came from financial institutions and government agencies; today, social media platforms, cloud storage services, and AI-driven databases hold unprecedented amounts of personal data—often with inconsistent security measures.

Where Do We Go From Here?

While some of my 2006 recommendations have become reality, others remain unaddressed, and the threat landscape has evolved far beyond simple identity theft. The next phase of legal reform should focus on:

• A unified federal standard for data security, preventing a patchwork of inconsistent state laws.

• Real consequences for negligent data handlers, including a form of fiduciary responsibility for sensitive data.

• Expanded protections against AI-driven fraud, including synthetic identity theft and deepfake-enhanced impersonation.

Would love to hear your thoughts—should companies be held to a higher standard of care when handling personal data? Let me know in the comments.