Most recently, at Johns Hopkins (Reasonable Basis).  Prior to that twenty-six IRS tapes "went missing" (Privacy and Security Law Blog).  TJ Maxx was before that (InformationWeek).  And before that UCLA lost a bunch of student/alumni personal information (SearchSecurity.com). 

Unfortunately, data breach rules are sketchy, or non-existent.  I posted several months ago about a federal court rejecting (based on a theory of no demonstrable harm) a data breach class action against Acxiom.  Most states do not have data breach laws, the ones that do, only require notification to the affected individuals (California).  The laws generally do not create a cause of action for damages arising from a loss of personal information held by a third party.  Accordingly, the terms of today's debate are centered around when and in what circumstances custodians must provide notice to affected individuals of a data breach.  (Granted, governmental agencies have enforcement authority over companies who have lax practices but this doesn't seem like as powerful of a deterrent in this context.)

I suspect enterprising plaintiff's lawyers may have a hand in changing this regime.  In the meantime, Senators Specter and Leahy have re-introduced a privacy bill (Personal Data Privacy and Security Act of 2007) [64 page pdf file].  The bill is wide ranging and among other things requires periodic testing and risk assessment by those who house sensitive data.  The bill also requires notification of a data breach.  The bill does not create any private causes of action, and provides for enforcement by state and federal agencies.  I'll have to take a closer look as time permits, but I suspect that the bill will only create another lawyer layer of bureaucracy.  The bill will spawn an industry of "data security compliance consultants".   As to whether the bill will spur companies to actually change their practices it's tough to say.