On Friday, the Canadian Bar Association's Access and Privacy Law Section executive had a unique opportunity to meet with the Federal and Provincial Access and Privacy Commissioners in Ottawa. It was a very interesting and useful session, but off the record.
The issue of notification of data breaches was raised and I was asked at the lunch by one of the Commissioners whether there has been serious research on the topic. Because there is no law (other than PHIPA in Ontario) that requires notification, any business dealing with an incident will need to consider what information, if compromised, will result in actual loss or harm to the individual(s) in question. The Commissioners are increasingly being contacted by businesses who want to know whether they should contact affected individuals, but they don't have all the information to fully assess the risk.
Though the media is full of information related to identity theft, I couldn't point to any substantive research of what information is useful to identity thieves. I know anecdotally that name, address, social insurance number (or SSN in the US), date of birth are the "keys to the kingdom". If anyone can point to anything authoritative that can provide insight, please e-mail it to me at firstname.lastname@example.org. I'll post links to anything I get.