Whither the privacy breach case studies?
Few weeks have passed in recent years without news of yet another data security breach that has the potential to impact upon the privacy of individuals. Following each event, there is signi cant coverage in both the mainstream media and the trade press; there is much handwringing; the organisation involved might be damaged ( nancially or reputationally, or both); there will be guesses as to the long-term e ects on the individuals concerned; and then things move on . . . until the next incident occurs, when the cycle is repeated. While some elds have a long-standing culture of learning lessons from disasters, giving rise to new and/or improved processes | both for the organisation itself and for the relevant sector as a whole | for a variety of reasons this is not the case in information security. We argue that a culture shift is necessary, and that the publication of well researched case studies describing privacy breaches, which has the potential to be impactful in a variety of ways, is well overdue.