Graves Concerns

According to a study out of Carnegie Mellon’s Heinz School, data breach laws have “no statistically significant effect” on reducing identity theft. The researchers performed a regression analysis using FTC identity theft data, factoring in income, strictness of the laws, and some interstate effects.

I have a couple of minor quibbles, but otherwise the results aren’t surprising.

First, the quibbles. Although the study considers some interstate commerce effects, I don’t think it accounted for them quite enough. Interstate commerce effects are those where one state’s data breach law affects identity theft rates in other states because of corporations with customers in multiple states.

For each state, the study tried to compensate for interstate effects by including variables for (1) the state’s level of interstate activity, (2) the number of that state’s neighbors with data breach notification laws, and (3) the percentage of all U.S. states with identity theft laws. What I think this still misses is the extent to which one large, populous state can force nationwide compliance. For example, consider what happened when California was the only state with a breach notification law. Companies who suffered a breach could choose to notify only their California customers, but if the breach were large, the publicity would still be nationwide—and customers in other states might wonder why the company didn’t tell them, too. Preventive measures don’t split along state lines as neatly. A company with weak security that wanted to avoid having to tell California customers about a data breach couldn’t improve only security for its California data; a security change would affect all its customers.

It’s therefore a matter of diminishing returns as more states pass data breach notification laws: when one large state has a notification law, it has a significant nationwide effect. Adding ten more states increases that effect, but not tenfold. By the time thirty-eight states have data breach notification laws (my count as of sometime early this year), one or two more won’t have that much more impact on nationwide compliance requirements. Any adjustment for the number of states with data breach laws should take this into account.

Another small criticism I have of the report is that it expects secondary effects to show up too quickly. Secondary effects of data breach notification laws are the incentives for companies to improve their data security practices. These process improvements take time to implement, and it wouldn’t be surprising to see a two or three year delay between passage of a data breach notification law and any sign of lowered identity theft.

The CMU report found that when (or whether) a state had passed a data breach law made little difference in the rates at which identity theft rates increased or declined. Overall identity theft rates increased at about the same rate in each category through 2005, and then, interestingly enough, declined at about the same rate in each category from 2005 to 2006:

This overall drop could reflect a delayed nationwide impact from California’s law, to which laws in additional states haven’t add as much as we might think.

Despite these complaints, I think the report’s ultimate findings are valid. Data breach notification laws probably don’t have a significant effect on identity theft rates, for a number of reasons:

• Data breach events account for a small portion of identity thefts: 12% to 26%, depending on the study.
• People may or many not receive notice of a breach, pay attention to it, or take action to avoid identity theft. Failure to do any of these reduces data breach laws’ effectiveness on the primary effects of a data breach.
• Data handlers want to avoid data breach announcements, but they might think they’ll never have a breach, or they might accept the risk of a breach, or they might decide that the cost of improving security is higher than the expected cost of a breach. These reduce a data breach law’s effectiveness in creating secondary effects.
• Consumers don’t have the ability to control how their data is handled. In a perfect market, we could choose to do business with companies that carefully handle data. But it’s not a perfect market, and a lot of our data is collected without our knowledge or consent, so we only have a limited ability to keep our data out of the hands of people who are sloppy with it, even when we know they’re sloppy.

Data breach laws are useful and necessary. If someone misplaces my data, they should have to tell me about it. But these laws alone aren’t enough to make companies handle data securely.

 

“Data breach laws have no effect on prevention, researchers say” [SearchSecurity.com]