The act of stealing someone's identity is illegal. Allowing crackers to steal the identity in the first place isn't, but it should be. The most recent case is a doozy: Best Western gave up every piece of data on every customer of theirs since 2007. Note the choice of words -- they gave this information to criminals, whether they meant to or not. Every year, we're treated to several stories of large corporations losing personal information collected from their customers. I wrote about this back in May of last year, and obviously nothing has changed.
I've had to change my credit card numbers several times in the past few years simply because I used them at TJ Maxx and Hannaford stores, both of which managed to give away that information to criminals. The banks covered the losses from illegitimate charges on those accounts, but I had to spend several hours canceling the cards, modifying all the direct-charge accounts that used those numbers, like my NetFlix account, and live without my debit or credit cards for a week or so each time. Once, my card was canceled while I was traveling. There are few things more frustrating than to be on the road with only a few bucks in cash and no access to my accounts because of Hannaford's problems.
This isn't acceptable. I'm tired of playing craps with my identity every time I use a credit or debit card. I can't come up with any justification for TJ Maxx or Hannaford's practice of retaining sensitive credit-card information. They shouldn't keep this data in the first place, much less give it away to anyone who manages to breach their security. And that's the crux of the issue. You can consider this information "stolen" from the corporation, or you can consider it as given away via negligence. As far as I'm concerned, it's the latter.
The responsibilities attached to retaining sensitive personal identity information should include criminal charges against the company responsible for a leak, in addition to the party that receives the information. This isn't a case of blaming the victim, since technically speaking, the company isn't the victim -- their customers or employees are. The company is complicit in the theft of this information since they retained the data in a database that was improperly secured. They should thus be charged as an accessory. Further, attempting to cover up the fact that customer identity information has been stolen should result in even harsher punishments.
Until the penalties for giving away sensitive information in this manner include heavy fines and possibly even jail time for those responsible for securing that information, we'll see this problem occur again and again. The only ramification for these companies now is some bad publicity. That's simply not sufficient.