What will stop the data breach flood?

The discussion around what do about the continuing flood of data breaches seems to be reaching a fever pitch. The Cyber Security Industry Alliance is currently pushing hard in Washington for a national data-breach notification law, preferably one that requires encryption of sensitive data. A similar effort is underway in England, and the National Retail Federation recently called for the credit card companies to drop their requirements that retailers store card data, a move the group believes will help slow the epidemic of data thefts. But the question remains: Will any of these measures have any real effect on the problem?

I wrote a column for today that examines the question of what can be done about the data breaches and proposed a couple of options. One of the ideas is a central database in which consumers could store their personal data, such as SSNs, health records, and financial records. They would then have the ability to grant access to that data on a need-to-know basis, at their discretion, similar to what Microsoft is doing with its HealthVault site. This system has a few technical and logistical challenges, but I think it could work on a voluntary basis. If you think such a drastic system isn’t necessary, have a look at this quote from Scott Berinato’s stunning story on Russian malware gangs on CIO.com:

“Do you have a credit card? They’ve got it,” states another researcher who used to write malware for a hacking group and who now works intelligence on the Internet underground and could only speak anonymously to protect his cover. “I’m not exaggerating. Your numbers will be compromised four or five times, even if they’re not used yet.”

It doesn’t get much more plain than that. Your data is at risk in ways that are surprising to even educated consumers and security experts. Something clearly needs to happen here. Let me know what you think that something should be.