A new book chapter by Jean Camp and myself is now available. It appears in a new collection edited by George Yee titled Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards. Here is the abstract, citation information, and link to the book.
In August 2007 approximately 445,000 letters were sent to retirees who belonged to the California Public Employees’ Retirement System (CalPERS). This was a routine mailing, but all or a portion of each pensioner’s Social Security Number (SSN) was printed on the address panel of the envelopes, making this event all but ordinary. This massive breach of sensitive SSNs, along with names and addresses, exposed these people to potential identity theft and fraud. What are the harms associated with a data breach of this nature? How can those harms be mitigated? What are, or should be, the costs and consequences to the organization releasing the data? While it is very difficult to predict the specific consequences of a data breach of this nature, a statistical model can be used to estimate the likely financial repercussions for individuals and organizations, and the recent settlement in the TJX case provides a good model of harm mitigation that could be applied in this case and similar cases.
Patrick, A. S., & Camp, L. J. (2012). Harm mitigation from the release of personal identity information. In Yee, G. O. (Ed.), Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards. (pp. 309-330).