Breach Notification Efficacy Debated

Most states now require companies to notify consumers of data breaches involving personal identifying information. As a result, it seems that every day there is new notice of a breach somewhere.  Yet the question remains: are data-breach notification laws actually working?

At a recent Security Breach Notification seminar in Berkeley, Calif., industry experts debated the legislation’s efficacy, even as California’s Sen. Joe Simitian endorsed an expansion of his state’s landmark data-breach notification law.

An obvious positive outcome of California’s SB 1386, and similar legislations that followed in 43 states, is an increased public awareness of data breaches and a better understanding among consumers of the inherent risks.

Forcing companies to come clean about data breaches has also helped motivate businesses to improve their security practices. Speaking on the Berkeley panel, Carnegie Mellon University researchers Alessandro Acquisti and Sasha Romanosky pointed to their 2008 study [pdf] which noted data breach laws cause companies to pay more attention to encryption, access controls and auditing their networks, according to Wired.

However Acquisti and Romanosky suggested the laws also “cause firms and consumers to incur what could be deemed unnecessary costs in the face of unclear risks,” Wired reported. That’s likely one reason why, according to a 2005 FBI study cited by Wired, only 20 percent of firms would report serious breaches to law enforcement if it was not legally required.

Demanding transparency doesn’t necessarily reduce identity theft either.

For one thing, breach notifications can come after consumers have already discovered fraudulent charges or become victims of identity theft, Kim Zetter blogged for Wired. (Informationweek blogger George Hulme countered that notification letters can help a victim identify the root of the problem and act accordingly).

Another concern Zetter raised is the “cry-wolf effect,” saying that most consumers discard the breach notification letters as junk mail. Or even if they do read the notices, they don’t actually do anything. For instance, when Choicepoint was breached, fewer than “10 percent of the 163,000” consumers who were notified took advantage of the offered credit protection, according to Wired.

Notification laws have motivated many organizations to take responsibility and strengthen their data security.  And notifying consumers of a breach of their personal data has enabled them to make decisions (or make no decision, as the case may be), on how to manage their identities.  These are two very positive results of data breach notification laws that should not be discounted.

One interesting point that often comes up for debate is whether data breaches even result in a high enough rate of identity theft to warrant the cost and effort that comes with notification. For example, the Choicepoint breach resulted in at least 800 known cases of identity theft, according to the FTC.  However, anyone who relies on that statistic alone should remember that many consumers don’t report their identity theft cases to the FTC, and many don’t often know the source of the theft.  Beyond that, an identity theft could happen years after the information is stolen, making the crime all the more difficult to track. The actual number of related identity theft cases could be much higher.  To say that data breaches don’t result in a high enough percentage of known instances of identity theft is not, in our opinion, reason enough to relegate data breach notification laws to the back burner.  Beyond that, who's to say what the "right" percentage is to justify transparency and accountability?

Granted, no one can say for sure at this point whether data-breach notification laws are having an impact on identity theft. When even the critics can agree that there isn’t enough information with which to make an informed decision on efficacy, it’s clear more study is needed. Information privacy law expert Chris Hoofnagle, quoted by Acquisti and Romanosky, says that requiring banks and other organizations to release identity theft data could help researchers better understand the scope of the crime.  We agree that that would be a very big step in the right direction. 


Related alerts
Report Says Data Breach Costs Rising
Data Breach Reports “Increased Dramatically” in 2008
File This Under ‘That’s Not Helpful’