Data breach disclosure laws don't work

Laws that force business to disclose privacy breaches have not seen security improve.

Data breach laws have essentially no effect on preventing identity theft, despite all of the attention and publicity that they have brought to the problem in the last few years. Researchers at Carnegie Mellon University studied four years of data from the Federal Trade Commission (FTC) and found that the various state breach notification laws have done virtually nothing to reverse the trend toward ever higher numbers of stolen identities.

"We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. The lack of a significant negative effect may be due to breaches accounting for a small enough percentage of total identity thefts, dwarfing any actual crime reduction by more common causes, such as a lost or stolen wallet," the authors Sasha Romanosky, Rahul Telang and Alessandro Acquisti, wrote in the paper Do Data Breach Disclosure Laws Reduce Identity Theft?, which they will present at the Seventh Workshop on the Economics of Information Security at Dartmouth College later this month. "If the probability of becoming a victim conditional on a data breach is very small, then the law's maximum effectiveness is inherently limited."

From 2002 to 2005, the number of identity thefts reported to the FTC went from about 155,000 to nearly 249,000 cases. The number then fell slightly to 239,000 in 2006.

The flood of state disclosure laws began with the passage of a measure in California in 2003, which required any company doing business in the state to notify its customers if their data was compromised, or could reasonably be thought to be compromised. Since then, more than 40 other states have passed some form of a breach disclosure law, although the data that the authors examined extended only through the end of 2006, when just 28 states had laws in place. Romanosky, a Ph.D. student at CMU, said he is working to integrate data from 2007 as well.

The question of why the notification laws are ineffective so far is a difficult one, Romanosky said, and there are several different valid answers right now. One factor in the equation is that notification laws do one thing very well: notify consumers of a data breach. But that's all they do. The response to that is notification is completely up to the consumers.

"All the laws do is inform consumers, and then they need to take action," Romanosky said. "If they don't do anything about it, what chance does the law have of succeeding? The onus is on the consumer to take action. It's hard for people to understand the consequences of their own inaction. They feel overconfident that it won't happen to them, and the odds are that they're right. There's inertia, a lack of consequences and a lack of understanding to properly perceive what the consequences might be."

For the companies involved in data breaches, the question is a bit more complicated. Their motives are strictly economic; preventing identity theft for consumers is not a top priority for them. Some of the reasoning for passing breach notification laws is that putting these incidents in the public eye will force companies to be more careful with their security practices, which will theoretically result in fewer breaches in the future. The jury is still out on that hypothesis, however.

"One of the economic rationales is that the transparency will encourage firms to improve their practices, otherwise the breaches will continue to happen," said Romanosky. "We have seen some examples of that, ChoicePoint is a good one. But whether it's having a large effect and impacting firms is yet to be determined."

And the laws themselves have caused some consternation in the security community, as well. The patchwork of state laws means that there is not one consistent standard for companies needing to report a breach, and there are a number of different thresholds for what constitutes a breach. Romanosky said an overarching federal law could help solve this problem, but it would not be a cure-all.

"You can argue that the laws aren't strong enough, or that there are not enough, or maybe even too many notices," he said. "There are too many exceptions. But maybe the laws haven't been around long enough either."

But the biggest reason for the lack of effect on identity theft numbers could be the simplest one: Most cases of identity theft aren't the result of data breaches.

"It seems clear that a lot of identity theft has nothing to do with data breaches. Of those that know how it happened to them, 15% or 20% say that it came from a data breach," Romanosky said. "In that case, what is the maximum effect that the laws could have?"

Still, the breach notification laws may have other benefits that are not as visible as the rate of identity thefts. "There are other potential outcomes here that we may not know about yet," Romanosky said. "Reducing the average loss by consumers by notifying them sooner could be one. We need more time to see."

Read more on Privacy and data protection