Brooklyn Man Sentenced For Identity Theft
Viacom - Google/Youtube Lawsuit Now Affects Consumers

Carnegie Mellon Researchers: Breach Notification Laws Don't Reduce Data Breaches

Last month, three researchers from Carnegie Mellon University released the results of their study about data breach notification laws. This study received a fair amount of attention in the news media because of its sensation conclusion. According to the study:

"Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured. We use panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft..."

It seems to me that these researchers asked the wrong question. The data breach notification laws were designed to alert consumers when their personal data was stolen or exposed. Prior to these state laws, companies rarely, if every, notified consumers, customers, and/or employees. The notification laws were never intended nor designed to reduce data breaches by companies, higher education institutions, and government agencies.

Instead, the researchers could have investigated an important issue: how does the increase in offshore outsourcing by companies and financial institutions affect data breach notifications?

Or the research could have studied an even better topic: what is the optimal duration (e.g., years) companies should provide their data-breach victims with free credit monitoring services? Today's common practice is one or two years, a duration totally divorced from reality. Identity thieves will use or resell consumers' identity information as long as they find it useful. Hence, consumers bear the long-term risk and financial burden.

Perhaps, the researchers should have studied this issue: what would it take for companies, and higher education institutions, to reduce (or stop) data breaches? Based on my study of the problem: as long as the consequences are minimal, data breaches will continue. When the consequences (e.g., fines, jail time, new liability laws, a combination of these, etc.) become significant, then we'll see a change in behavior by companies, higher education institutions, and their executives.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.