There are a few states that demand that organizations that suffer security breaches that compromise customer data report those incidents to the state as well as the affected individuals. One of those forward-thinking states is New Hampshire, and the state’ has gone a step further and decided to post to its Department of Justice Web site all of the notification letters it receives. The archive only goes back to November 2006 right now and includes a few dozen entries, but that will grow as more companies are breached.
This is the next logical step in the process of getting consumers as much information as possible about these security lapses. After all, it’s their data that’s at risk, so they’re entitled to whatever information is available. Chris Walsh, who contributes regularly to Adam Shostack’s indispensable Emergent Chaos blog, has been following state data theft disclosures and has put together a slick diagram using data on breach notifications in New York and North Carolina, showing how breaches in one locale affect people in others. It will be interesting to see whether other states adopt this same practice and what, if any, effect it has on the way consumers and the reporting companies treat these incidents.