The new GAO report on data breaches is out and, yes, this is the title: Personal Information-- Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent Is Unknown. We agree with the post Who should decide if you get notice of a security breach? by privacy expert Michelle Jun over at the Consumers Union blog. She says: "We believe the consumer should always know."

The GAO study concludes that banks and others don't really have a clue about how often their sloppy practices and data losses lead to identity theft. So, in our view, any federal breach notice law should result in the potential identity theft victim whose data were lost always being told of the breach, just in case. Of course, those same banks that don't know what happens to the data they lose are arguing to Congress that they shouldn't have to tell, unless they know that there is a high (as they see it) risk of harm (to you). Probably makes no sense to you, dear reader, unless you're a banker.