I read in my own hometown paper, the San Francisco Chronicle, that subscribers’ vacation hold data had been misappropriated by nefarious actors intent on using the start and stop dates to target burglaries. Of course, I had to browse all the way to page B-3 of the paper to read all about this.
Now, the Chron would argue that the kinds of data accessed – home addresses and vacation dates – isn’t the kind of data that requires a more formal notification. And they’re right. Most state legislatures intended to capture the kinds of data that would lead to identity theft and mandated formal notification for unlawful access to that data.
But common sense would indicate here that the subscribers the Chron has put into danger of burglary (and worse) deserve some kind of notification here. I’m not arguing that it should be legally required, but it seems like some notice, beyond just a short blurb buried deep in the paper, might be good customer service.