That may be true, said Arshad Noor, CEO of StrongAuth Inc. a compliance management firm in Sunnyvale, Calif. But allowing breached companies to make judgments on whether data might be misused will never work in favor of consumers 'because the statute of limitations on thieves using stolen data does not expire,' he said. 'For more than four decades, IT organizations have operated in the shadows. Now for the first time, they're being forced to shine the spotlight on their deficiencies.'