Sony's greatest faults were confusing its customers by going public with information before it was ready, and storing old, encrypted financial data belonging to thousands of users, said Beth Givens, director of Privacy Rights Clearinghouse. But far worse breaches have received much less attention, Givens said.
For example, in March health care services provider Health Net lost medical data, Social Security numbers and financial information belonging to 1.9 million customers. With Social Security numbers, identity thieves could seriously disrupt the lives of Health Net's customers -- Sony says that the vast majority of its victims had little more than their names and e-mail addresses stolen.
And while there has been little coverage of the Health Net breach, the New York Times has called on Sony to provide a credit monitoring service known as a security freeze to its 102 million affected customers. A security freeze would stop ID thieves from opening new accounts, but it "makes no sense" in the Sony case, Givens said. That's because criminals can't establish fake financial accounts with the Sony data. "In the Sony case, Social Security numbers were not compromised. It's credit card numbers and debit numbers," she said. "A security freeze is overkill. "
Still, the lesson from the Sony breach may be that customers are fed up with companies that don't take their privacy seriously, and expect to be told about data breaches as soon as they happen.
"This is the direction that we're going," said Pete Schlampp, vice president of product management with Solera Networks, a seller of network security tools. "The public's expectation is to be notified immediately."
Sign up for Computerworld eNewsletters.