The Yellow Pages Paradox: When Private Information Was Public

For those old enough to remember life before the internet, there's a striking irony in today's data breach notification landscape. We live in an era where companies spend millions notifying consumers about the exposure of information that was once freely available in every American household.

The Yellow Pages contained everyone's name, phone number, and home address—readily available for anyone to see. This information was automatically included unless you paid a fee to remain unlisted, and even getting removed from these directories was a complex process that wasn't streamlined until the late 1990s or early 2000s. The first business directory appeared in Philadelphia around 1785, and by the 1880s, these directories were organizing businesses by category and selling advertising space—essentially creating the original "search engine" for finding people and businesses.

Yet today, when this same basic information—name, address, phone number, and email—is accessed without authorization, companies face an average data breach cost of $4.88 million in 2024, representing a 10% increase from the previous year. Something fundamental has shifted in how we view and regulate personal information.

The Mounting Cost of Data Breach Notifications

The financial burden of data breach notifications has reached staggering proportions. IBM's 2024 Cost of a Data Breach Report reveals that 75% of the increase in average breach costs was due to lost business and post-breach response activities, with legal and regulatory penalties varying significantly depending on industry and geographic location.

Legal experts confirm that legal costs represent one of the largest expenditures organizations face in data breaches, as organizations rarely have the necessary legal and privacy expertise in-house and must hire outside counsel to ensure compliance. The notification process itself has become a massive industry—one that may be addressing the wrong problem.

Consider the scope: all 50 states have enacted security breach laws requiring disclosure to consumers when personal information is compromised, yet recent amendments to state data breach notification laws have expanded the categories of PII that trigger notification obligations, imposed new regulatory notification requirements, and implemented specific timing requirements.

What's Really at Risk?

The fundamental question we must ask is whether notifying consumers about the exposure of information that's already publicly available through legitimate channels serves any meaningful protective purpose.

Data collection companies legally gather and sell the same information that triggers expensive breach notifications—without requiring consumer consent and with deliberately difficult opt-out processes. The data collection market is valued at nearly $434 billion for 2025, with companies automatically harvesting basic identifiers, financial data, purchase history, health data, behavioral insights, and real-time location data. These businesses operate on an "opt-out" model where consumers must affirmatively request removal from hundreds of different databases, with each company having its own complex removal process.

The business model is designed to make data removal as difficult as possible. Data collection companies maintain that "removing your data from their systems impacts their bottom line, so they are disincentivized to make this easy for you," according to privacy experts. Even after consumers successfully remove their information, it often reappears, sourced from other companies in the vast data sharing ecosystem. This creates a perpetual game of whack-a-mole where the same "protected" PII continues circulating through legal channels while companies spend millions notifying consumers about unauthorized access to information that's simultaneously being sold with no notification required.

Meanwhile, healthcare data breaches create genuine risks, as medical records can sell for $10 to $1,000 per record on the black market and stolen Medicare beneficiary ID numbers have become particularly valuable to cybercriminals. Healthcare fraud artificially inflates medical service costs, with the National Health Care Anti-Fraud Association estimating that as much as 10% of the $3.6 trillion spent on healthcare in 2018 was attributed to fraud.

Industry Expert Perspectives

The cybersecurity community is beginning to recognize the need for more nuanced approaches to data protection. Glenn J. Nick, associate director at Guidehouse, notes that "regulated industries suffer not only the immediate cost of responding to, containing, and remediating vulnerabilities but also the long-term effects of additional penalties from their regulatory bodies and legal settlements".

The current system creates perverse incentives. Nearly two-thirds of organizations said they were planning to pass breach costs onto customers, up from 57% in 2023, meaning consumers ultimately bear the financial burden of a notification system that may provide limited actual protection.

Privacy experts acknowledge this challenge: the data collection industry has created a system where consumers have no meaningful control over their information. In the United States, businesses do not need consumer consent to collect or sell personal information—they are legally allowed to sell and share data unless consumers affirmatively opt-out, and only where state laws permit such opt-outs. This lack of consent requirements has enabled the widespread growth of data collection companies that operate "behind a veil of secrecy."

The opt-out process itself is deliberately cumbersome. Data privacy experts confirm that "reclaiming or deleting data from these companies can be a deliberately complex process that is not only time-consuming but frustrating, with each company having its own opt-out requirements." There are hundreds of registered data collection companies across various state registries, making individual opt-out requests a "Herculean task" for consumers. Even professional data removal services charge ongoing fees to manage these requests because the process is so complex and because removed data frequently reappears from other sources.

The Case for Redefining PII

The time has come to differentiate between truly sensitive personal information and data that's already in the public domain. A more rational approach would focus breach notification requirements on information that poses genuine risk when compromised:

Truly Sensitive Information:

• Social Security numbers

• Driver's license numbers

• Financial account information and payment card data

• Healthcare information and medical records

• Biometric data

• Authentication credentials and passwords

Currently Over-Protected Information:

• Names and basic contact information automatically collected by data harvesting companies

• Information equivalent to what was in Yellow Pages directories, now collected without consent

• Data that's legally sold through hundreds of collection companies with no consumer notification required

• Information that consumers must actively opt-out from dozens of separate companies to protect

The FCC has already begun recognizing this distinction, with new rules that exempt from PII definitions "publicly available information lawfully made available to the general public from government records or widely distributed media".

Leave a comment

The Healthcare Fraud Connection

One of the most compelling arguments for refocusing our efforts lies in healthcare fraud prevention. In 2024 alone, federal enforcement actions resulted in 193 defendants charged with healthcare fraud involving over $2.75 billion in false claims, with the Health Care Fraud Unit charging more than 5,400 defendants since 2007.

Healthcare fraud causes insurance companies to raise premiums to offset inflated claims payments, and when insurance companies increase premiums, businesses must raise their prices to cover increasing costs. This creates a direct line from data security failures to increased healthcare costs for all Americans.

By redirecting resources from notifying consumers about exposed contact information that's simultaneously being sold legally without their consent to preventing healthcare and financial fraud, we could achieve more meaningful protection for consumers while reducing costs across the board. The current system creates the absurd situation where companies spend millions notifying consumers about data that other companies are legally selling to anyone willing to pay, with consumers having virtually no practical ability to stop either process.

A Practical Path Forward

The solution isn't to eliminate data protection—it's to make it more effective. Here's what a reformed approach might look like:

1. Tiered Notification Requirements: Distinguish between high-risk data (SSN, financial, medical) requiring immediate notification and low-risk data (basic contact info) with simplified reporting.

2. Focus on Prevention: Redirect resources from notification compliance to preventing access to truly sensitive information.

3. Consumer Education: Help people understand which types of data breaches actually require immediate action versus those that don't.

4. Regulatory Modernization: Update PII definitions to reflect the reality of publicly available information in the digital age.

The Bottom Line

Organizations that applied AI and automation to security prevention saw the biggest impact in reducing breach costs, saving an average of $2.22 million over those that didn't deploy these technologies. Imagine if we redirected even a fraction of the resources currently spent on unnecessary notifications toward these more effective security measures.

We're not suggesting companies should be less careful with consumer data. Rather, we're arguing for a more rational, risk-based approach that focuses protection efforts where they matter most. As cybersecurity expert data shows, the average cost of a data breach for professional services organizations, including law firms, reached $5.08 million in 2024, with much of this cost driven by notification requirements for information that poses limited actual risk to consumers.

The cybersecurity community has an opportunity to lead this conversation. By advocating for more sensible PII definitions and notification standards, we can help create a system that truly protects consumers while reducing the regulatory burden that ultimately increases costs for everyone.

It's time to ask ourselves: Are we protecting privacy, or are we just protecting the Yellow Pages and reporting about it every time its used?