In my last post, I addressed what is a proper measure of damages for exposure of a person's private information. In response, the Dunning Letter put up a post responding to it, and providing some interesting statistics about the cost ($5720/victim) and prevalence (top complaint reported by FTC ID theft and consumer fraud survey) of identity theft. At that time, I considered preparing a responsive post, essentially playing devil's advocate and pointing out that providing compensation via lawsuits was really a poor way to combat the problem of information exposure, because, even if you could get the proper measure of damages, most people wouldn't take the trouble to file a lawsuit. Further, even if people did file lawsuits, the transaction costs associated with litigation (i.e., attorneys' fees) mean that, even if you did provide incentives to avoid data exposure, there would be a ton of lost effort involved.
However, this post brings the problem into even sharper focus, by describing the situation of a young woman who states the she reported an identity theft, which took between 20 minutes to an hour, and that she got NOTHING in return. If doesn't think it's worth an hour of her time to report an ID theft (and she's undoubtedly not alone in that), then you can bet there will be very few consumers who would be willing to spend the time (years) and money (thousands of dollars) which are necessary to go to court. The bottom line: while providing compensation is worthwhile, it isn't enough.
So what is enough? My proposal is regulation, clearly written and consistently enforced. Part of the problem is that businesses simply don't know what they need to do to avoid having security breaches. Also, businesses know that, even if there is a breach, there isn't much chance that individual plaintiffs will be able to successfully bring suit for damages. Clear regulation which is consistently enforced could solve those problems, both by providing clear guidance for businesses, and by providing a strong incentive (threat of government penalties) for following that standard. At the moment though, the U.S. model seems to be notification followed by individual litigation, which is, as set forth above, a highly suboptimal solution.