CSO

In addition to everything said so far,

a) Get rid of the interstate commerce provision. I'm not sure how you'd go about this legally, but we need a single (set of) law(s) that cover intra- and interstate commerce.

b) Reinforce, reiterate, reimplement, and ENFORCE, the original requirement from the Social Security Act that the SSN cannot ever be used for any reason by anyone excepting the Social Security Administration and the individual. No more using it as the unique ID for every database around.

c) Make the breach and notification laws part of the criminal code, not the civil code.

d) Unsustainably large criminal fines and possible jail time for failing to notify individuals after a breach. So large that a multinational would be bankrupted by conviction for nonnotification after a breach exceeding a few thousand identifiers.

e) Painfully large fines and possible jail time for the breach in the first place. Put the penalties at least on par with those for breach of fiduciary duty.

f) Legally enforceable (criminal, not civil) requirement that anyone, and I do mean anyone, public or private, including law enforcement and your doctor, who holds any information on you that constitutes a "personal identifier" under the law provide to the individual, upon request, a _complete_ copy of their files on you, for no more than a nominal copying and mailing cost. Say no more than a dimre or quarter a page for copying/printing and a couple of bucks for mailing.

The bottom line is that these people think, believe, and act like it's their information, not mine. That's a load of bushwa and needs to be corrected immediately.

Heck, maybe just amend the kidnapping legislation to apply the same criminal code to data breaches and failure to notify.