The Associated Press reported today that personal data loss hit record levels in 2007. Between the TJX break-in early in the year and the weekly reports of unencrypted tapes being lost or stolen, I’m really not surprised.

To be honest, I think companies that aren’t smart enough to use encryption for their data when it’s readily available deserve to be hit. This seems like a case where legislation to mandate back-end data encryption would be good, but instead banks are being told to add stupid security features like multi-factor authentication to secure the front-end.

What strikes me as even more silly is that given the exorbitant cost of a breach [1], companies still want to be the keepers of customers’ personal or financial data and impose fees on the customers that don’t want to share it. For example, my auto insurance company has an extra $5/mo. service fee for customers that opt to make payments themselves instead of providing bank account information to them and letting them pull the money via an electronic fund transfer (EFT).

Given that there is little to no security for most electronic transfers (all you need are routing and bank account numbers and a willing bank), I am reluctant these days to provide my bank account information to most companies. I don’t even provide my credit card number to most service or utility providers any more. Instead I use my bank’s online bill pay feature and have them push the money electronically or via a paper check in the mail [2].

But hey, instead of charging a fee why not pay me a few bucks to keep my sensitive information to myself as long as my payments are made in a timely manner? I’m doing you a favor because if you don’t have my account number, I can’t sue you later for accidentally disclosing it.

[1] The public settlement TJX made with financial institutions was around $40M and included 3 years of credit protection to consumers plus fraud insurance.

[2] Still not great, as most of these checks are done as personal checks and not bank checks (which wouldn’t include your account number), but one can hope that an electronic record containing account information isn’t created by the recipient.