The distinction currently drawn by data
breach notification laws between active and passive breaches should be abandoned, because it provides an incentive for malicious actors to obtain personal data through social engineering, rather than through hacking.