In the modern digitized and networked world, personal identifying information has quickly become a commodity that can be traded, sold, or given away like any other. The uses and potential abuses of personal identifying information, however, distinguish this commodity from any other. Personal identifying information can be copied infinitely, is often not protected nearly as well as physical commodities, and, most importantly, can have particular importance to the person identified by that information. The producer of a bushel of apples presumably cares very little about where his apples end up, as long as he is paid for them to begin with. The “producer” of a piece of personal information, however, is likely to care very much about where that information ends up and what the various handlers along the way are doing with it.

The information collected, which can be as benign as an address or as important as a Social Security number, is often given willingly as a legitimate part of a business transaction. It is when that information is removed from the original context it was given in that the problem arises. Giving the original producers of information knowledge on how to avoid theft of that personal identifying information is currently accomplished, however, insofar as it is accomplished at all, by a number of different incentive structures. These structures operate on both the companies that keep the data and the consumers whose data is being collected. The incentives include negative consequences upon businesses that allow data to be stolen from them, public information campaigns on avoiding identity theft for consumers, and some state laws that mandate disclosure of data breaches to those consumers who may be affected. The currently existing incentives can overlap and interact in complicated ways, but ultimately they do not appear to accomplish the desired result: drastically reducing the number of data breaches that impact consumers. To address this concern, some analysts have suggested a move away from indirect incentives and toward affirmative incentives regarding the storage of users’ data. This article will examine these incentives, question whether and why they do or do not work, and explore the need for further legislation. In conclusion, this article will offer some ideas for future legislation that modifies the existing incentive structure to better accomplish the goal of consumer protection.