The University of Texas at Austin’s McCombs School of Business has confirmed that almost 200,000 electronic records have been accessed illegally.  The university confirmed that it learned late last week that Social Security Numbers and biographical information of students, alumni, faculty and staff might have been compromised. This is University of Texas‘ second major breach in three years.

In light of the almost daily announcements of thousands of records being stolen from various institutions do we really need a federal data breach notification law, similar to what Congress has been working over the past months? Let’s assume that Congress passes such law and that all data breaches must be reported. What would happen then? Big breaches will be widely publicized but over time people will become immune to the news of hundreds of thousands of personal records being stolen.

So what is the solution? It seems that over the past few years the free-market advocates who argued that the bad publicity (or the potential of bad publicity should a breach occur) would make institutions secure their systems. Obviously this hasn’t happened. Should Congress try to mandate some sort of minimum data protection requirements, instead of data breach reporting requirements? Congress has created similar legislation (HIPAA for example) where the main goal is protecting privacy, but this legislation has made medical institutions that are subject to it increase their system security. Why not impose similar requirements to all major data processors?