Wednesday, November 07, 2007

The Point of Breach Notification Laws

Back in August I wrote a small piece - "Data Breaches and Privacy Violations Aren't Just About Identity Theft". Ben Wright left a comment there that I never responded to. Here goes...

He said:
Peter Huber argues in Forbes that there is no "privacy" in our social security numbers or credit card numbers. The "secrecy" of those things does not really authenticate us. So this business of giving people lots of notices about compromise of their numbers seems pointless.
I hate to rehash all that has been written about breach notification laws but I don't see a lot written on the public policy reasons for breach disclosure/notification laws. Well..., I don't hate rehashing too much, here goes.

There are reasonably several justifications for breach notification laws:

  1. Accountability of the data custodian
  2. Alerting the data owner of the breach
  3. Collecting public policy data on frequency and manner of breaches so that we can prevent them in the future
Whether the data in question has value, the disclosing party certainly didn't uphold their end of the bargain. What we're seeing lately is that there is no shame in having had a data breach. So, we're seeing that #1 isn't all that useful from a public policy perspective. If breaches don't result in a significant financial loss, then companies won't care so much to protect the data in their custody.

The main public policy value of breach notification laws as written today is probably #3. Interesting in and of itself, but because of the nature of the breaches it isn't clear that the costs of the breach notification are worth the costs of disclosure. Or, more specifically, it isn't clear that the public notice with specifics-per-company is serving us perfectly. An anonymous repository of details and types of incidents would accomplish roughly the same public policy goal without all of the associated costs.

I'm not arguing that companies shouldn't disclose, but I have yet to see an analysis of the costs on both sides of the issue. I'm hoping someone can point me to one.

Part of the argument of course hinges on the responsibility of companies to not disclose data entrusted to them and the rights that the data owner has. There are costs of our current regime however, and based on public reaction to data breaches (continuing to do business with said firms as if no incident had occurred) perhaps people aren't as interested in breach notification as we thought.

3 comments:

Chris said...

Not saying I agree with either of these (especially the second!), but...

Schwartz, Paul M. and Janger, Edward J., "Notification of Data Security Breaches" . Michigan Law Review, Vol. 105, p. 913, 2007
Available at SSRN: http://ssrn.com/abstract=908709

Lenard, Thomas M. and Rubin, Paul H., "An Economic Analysis of
Notification Requirements for Data Security Breaches" (July 20,
2005). Emory Public Law Research Paper No. 05-26 Available at SSRN:
http://ssrn.com/abstract=765845

Security Retentive said...

Thanks for the pointers. I now have some reading to do.

Benjamin Wright said...

Andy: One of the costs inflicted by the ever-rising flood of breach notices is that it confuses the public. If the public sees too many notices, and hears too many announcements, about "breaches," then the public either becomes unduly worried or stops listening. I argue data holders have an ethical responsibility to avoid sending unnecessary breach notices. -Ben