There is a brief article that I found on CardNotPresent.com where Bob Russo, outgoing general manager of the PCI Security Standards Council, describes an incident where he was robbed (really burglarized but everyone misuses "robbed" – pet peeves of mine). Bob uses this story to illustrate how PCI-compliant companies are breached.
Before reading my punchline, please read the article: Bob Russo: Breached!
Stop. Go back; you didn't really read it…
Ok, anyone notice something missing from Bob’s story?
Immediately following the police investigation the DA (DA playing the part of the card brands) didn’t levy
fines for PCI non-compliance. His HOA (HOA playing the part of an acquirer) didn't kick him out for not
properly securing the premises. He was not required by various states (cameo appearance, playing the part of themselves) to send
out breach notifications to all the contacts stored on his laptop. He didn't
make headline news with "Russo Exposes PII!" Lastly, he was not hit with one or
more class action lawsuits for the stolen Personally Identifiable Information
before the ink had a chance to dry on the police report.
Hmmm… I wonder if my name and email address was contained in
his contact list.