Via The Dunning Letter, I learned about this paper which (according to Jack's post) says that data security breach notification laws don't actually work. When I first read the post discussing the paper, I was somewhat unnerved, since that would mean that one of the primary vehicles that governments have used to try and address the vulnerability of consumer data is ineffective. Happily, when I read the paper I found that this was one time that the normally astute Dunning Letter was simply wrong. What the paper actually found was that, using their data set (which, as I will discuss in a later post, was not the proper data to evaluate security breach notification laws) they did not detect a statistically significant effect of security breach notification laws on identity theft. However, that is different from saying that there is no effect. Indeed, the paper explicitly recommends increasing disclosure requirements to help address the lack of data: "[other authors argue that] current information is not sufficient and that banks and other organizations should be
required to release identity theft data to the public for proper research. We certainly agree with this view."
So what can be gained from this? First, the paper itself is quite interesting, and I plan on addressing it in more detail in future posts. For now though, the lesson I draw from this is that you should always go to the original source when blogging. When discussing the paper, the Dunning Letter also linked to a TechWorld article with the bold headline that "Researchers say notification laws in US not lowering ID theft." My guess is that Jack probably read the TechWorld article but not the original paper. While that might be a nice shortcut, it can also (as demonstrated here) lead to perpetuating falsehoods just because they make nice screaming headlines.