Experts Debate the Value of Breach Notification Laws
Experts Debate the Value of Breach Notification Laws: Via Wired: Threat Level.
When California passed the first data breach notification law in 2003, it quickly became the defacto standard for the rest of the country. A total of 44 states now have breach notification laws, which vary only slightly in their definitions of what constitutes a breach that requires notification and what companies must do when they experience a breach.
But are the laws doing any good?
This was the question that a number of speakers at the Security Breach Notification seminar held in Berkeley on Friday (at right) tried to answer.
It's clear that the laws have made the public more aware of breaches and the vulnerability of their data, and have exposed poor security practices at many businesses. A 2005 study by the FBI showed that in the absence of a legal requirement to report breaches, only 20 percent of firms would report serious breaches to law enforcement.
But beyond this transparency benefit, speakers said, it's unclear what other benefits the laws have had. There are even suggestions that the laws have had some detrimental effects on consumers and companies.
Breach notifications should, theoretically, reduce the number of incidents of identity theft or fraudulent charges to credit cards if consumers take proper precautions once they receive a notification -- such as placing a fraud alert or freeze on their credit account and monitoring their account bills and statements for suspicious transactions.
But in some cases, customers discover fraudulent charges on their cards or become victims of identity theft before a company is even aware its computers have been breached, making the breach notification redundant for those consumers.
There's also the "cry-wolf" effect.
As notifications have become more ubiquitous -- 55 percent of respondents in a survey by the Ponemon Institute last year said they'd received two or more notices within 24 months -- many consumers have become inured to them, simply tossing them in the trash rather than acting on them to protect their identity.
When the Choicepoint datamining company was breached in 2004 -- the breach that put California's breach notification law on the map -- the company offered credit protection and monitoring services to those whose information had been compromised. But the company later said that fewer than 10 percent of 163,000 people called Choicepoint to take advantage of the offer.
Consumers have often complained that notification letters provide no clear instructions for what they can or should do to protect themselves after their information has been breached and therefore many take no action to protect themselves after being notified that their information was breached.
According to a study (.pdf) conducted by Alessandro Acquisti, professor of information technology and public policy at Carnegie Mellon University, and his grad student Sasha Romanosky, there are arguments to be made both in support of and against breach laws.
On the one hand, data breach laws are helpful in leading companies to install encryption and to devise new access controls and auditing measures on their networks. They also lower consumer losses and damages in terms of time and money, although the researchers offered no statistics on this.
On the other hand, they said, the laws cause firms and consumers to incur what could be deemed unnecessary costs in the face of unclear risks. They pointed to the Ponemon survey, which found that only 2 percent of respondents who said their information had been breached experienced identity theft as a result of the breach. This would mean that money spent on credit monitoring services in these cases would do little but enrich the monitoring services.
[I should point out that this low rate of identity theft was touted heavily by the Ponemon Institute when it released its study last year. But the same survey also found that 64 percent of respondents were unsure if they'd been a victim of identity theft -- showing how unreliable surveys on identity theft can be. Most victims don't know they're victims until they try to take out a loan or find themselves placed in collection for failure to pay a bill. And sometimes criminals hold onto data a year or more after a breach before they use it, meaning that consumers whose data is stolen may report that the breach didn't result in identity theft for them when in fact it may show up at a later date.]
When it comes to reducing identity theft rates, it's hard to know what effect the laws are having. The researchers examined statistics from the U.S. Federal Trade Commission for identity theft rates between 2002 -- before breach laws were passed -- and 2007, and found only about a 2 percent reduction in identity theft incidents related to data breaches in 2005.
But they cautioned that the data is inconclusive, particularly because it's often difficult to correlate an incident of identity theft with a specific breach for the reasons I mentioned above -- that criminals will sometimes hold on to stolen data a year or more before trying to use it, making the rate of identity theft appear to go down when it's really only delayed. There's also a problem with the FTC data itself, since it represents only incidents of identity theft that consumers report to the FTC, not actual incidents of identity theft.
There are additional questions worth asking about what effect breach notifications have on the relationship between customers and the breached entity. Consumers often express anger and mistrust toward companies that lose their data, but it's unclear how often that anger translates to action. According to Deirdre Mulligan, a professor of information technology law and policy at UC Berkeley's School of Information, a Ponemon study found that about 20 percent of respondents claimed to have terminated their relationship with a company after discovering that the company experienced a breach.
But a separate survey of companies found that the percentage of customers who actually do terminate their relationship with a company is less than 7 percent. Both numbers should be taken with a grain of salt, , however. Consumers, Mulligan told Threat Level, have a tendency to say they're going to do one thing when they actually do another, and companies also can't be relied on to honestly report the numbers of customers they lose from a breach.
All of this leads to the main takeaway from Friday's seminar -- data on breach notifications and their after-effects is still very poor and unreliable. In fact, this seemed to be the refrain from most of the speakers. There just isn't enough evidence to show definitively one way or another yet whether notification laws have been a boon or a bain.
Photo: David M. Grady
See also:
- Clues to Massive Hacks Hidden in Plain Sight
- CA Looks to Expand Data Breach Notification Law But Won't Address Compensation
- Thief Steals Sensitive Data from NYPD Warehouse
- Data Breach Post Mortem Offers Surprises
- Card Processor Admits to Large Data Breach
- Cyber Crook Pleads Guilty to Looting Citibank Accounts with Hacked ATM Codes
Read Original Article (Via Wired: Threat Level.)
Twitter
Digg
StumbleUpon
Technorati
del.icio.us
Facebook
Furl
LinkedIn
YahooRecent blog posts
- In Bid to Sway Sales, Cameras Track Shoppers
- Unprecedented 25-Year Sentence Sought for TJX Hacker
- EFF Appeals Dismissal of Warrantless Wiretapping Case
- Viacom Makes Its Case Against Yesterday's YouTube
- Obama supports Senators draft plan to rework U.S. immigration policy - Includes National Biometric ID card for all.
- Domain Names Can't Defend Themselves
- Hacker Disables More Than 100 Cars Remotely
- Judges Approves $9.5 Million Facebook ‘Beacon’ Accord
- Hooking Up The Big Brother Machine... And Fighting It
- Court: State Can Dump Non-Sex Offenders Into Registry
