I read the article today about 3 break-ins at the U of Florida http://www.networkworld.com/news/2009/022309-three-months-three-breaches-at.html?nlhtident=rn_022509&nladname=022509security:identitymanagemental
I find it incredible, partly because they have such a great team in the IT department. In reality, it's hard to watch everything all the time. Even having all the greatest staff and good security equipment, if comes down to the weakest link. One break-in was due to really, really old equipment - back from 1996. That one got fixed pretty quick. I'm glad to see they took the corrective steps, and reported it also.
Reporting security break-ins should be mandatory. I'm from the camp that believes all break-ins should be reported and not hidden. It allows the community at large to know about their own personal data, while holding institutions responsible. I'm not just talking about the University as much as I'm talking about corporate America. In California, there was a law passed requiring companies to disclose break-ins. If it wasn't for that, companies like ChoicePoint, Citigroup and LexisNexis would have no reason to report on the break-ins they had. At the end of the day these laws help by putting the spotlight on these mistakes and this motivates them to stop the bad press.
Like most IT investments, security can be boiled down to ROI. Is it worth it for the company to spend a bunch of money to secure the public's data? Bad press resulting in lower stocks is definitely an ROI driver.