. . . Laws such as the California Database Breach Act require that customers must be informed when their data is compromised, Darren Hayes, chair of Pace University’s Seidenberg School of Computer Science and Information Systems, points out. “However, the law does not stipulate any liability if the customer becomes a victim of identity theft.”
. . . Hayes reports that many Fortune 500 companies have outsourced their server management to third parties and do not fully understand how secure their customer records are. Internal security processes tend to be very poor as well, he says. For instance, companies are still not requiring their employees to encrypt their laptops and USB devices that are attached to company computers. “Very recently a BP employee lost an unencrypted laptop with claimant information,“ Hayes says. “There is a cost to encryption and many companies will not pay.” Read the blog on Forbes.com.