If your point is that the extra attention placed on huge breaches ends up reducing the risk to any individual, it is certainly an interesting one. I think that was something Chris Walsh brought up during the VA breach discussion, and I’ve discussed it as well.

I am a bit skeptical, however, that we can really do anything in the recovery/response phase of a breach that would lead to the 25x improvement suggested by the difference. I think it is simply due to the abundance of records available.

The other thing that got brought up was the length of time that someone has to compromise the IDs…

If a million people get their data stolen, someone is going to do something about it without you needing to do something.

If a hundred people get their data stolen, it’s probably up to you.