Tuesday, June 17, 2008

Always Go With the Original

Via The Dunning Letter, I learned about this paper which (according to Jack's post) says that data security breach notification laws don't actually work. When I first read the post discussing the paper, I was somewhat unnerved, since that would mean that one of the primary vehicles that governments have used to try and address the vulnerability of consumer data is ineffective. Happily, when I read the paper I found that this was one time that the normally astute Dunning Letter was simply wrong. What the paper actually found was that, using their data set (which, as I will discuss in a later post, was not the proper data to evaluate security breach notification laws) they did not detect a statistically significant effect of security breach notification laws on identity theft. However, that is different from saying that there is no effect. Indeed, the paper explicitly recommends increasing disclosure requirements to help address the lack of data: "[other authors argue that] current information is not sufficient and that banks and other organizations should be
required to release identity theft data to the public for proper research. We certainly agree with this view."

So what can be gained from this? First, the paper itself is quite interesting, and I plan on addressing it in more detail in future posts. For now though, the lesson I draw from this is that you should always go to the original source when blogging. When discussing the paper, the Dunning Letter also linked to a TechWorld article with the bold headline that "Researchers say notification laws in US not lowering ID theft." My guess is that Jack probably read the TechWorld article but not the original paper. While that might be a nice shortcut, it can also (as demonstrated here) lead to perpetuating falsehoods just because they make nice screaming headlines.


John Taylor said...

Love your blog! It actually was the impetus for me to start mine.
As a specialist in identity theft risk management I find precious little informed material on the subject. thanks for yours.
John Taylor

Jack E. Dunning said...

One of the things about fighting the privacy war is the mix of opinions on the subject. Some are right, some are wrong, and some are just confused. My blog, The Dunning Letter, is a combination of facts and opinions, with the latter based on my experience with the handling—or rather, mishandling—of consumer names and personal data. I am very passionate about the protection of individual privacy, and am convinced that business, government, and the public sector in general are not doing enough to secure our private information.

The TechWorld ad was correct in its “screaming” headline proclaiming that the Mellon researchers said notification laws aren’t lowering ID theft. Romanosky found no evidence that these laws reduce ID theft, but qualified this with the fact that he lacked “sufficient high quality data.” Data is sparse in this issue, but the Mellon researchers were working with FTC information that is used and quoted from by top research organizations like Javelin. As I said to Wm. Morriss in reply to his comment on my blog, it was a matter of interpretation, and his was wrong.

At the end of my June 12 post, I even added that Mellon felt these state disclosure laws had additional benefits such as reducing a victim’s average losses and forcing business to clean up its act. The mean fraud victim loss did drop to $5,720 in 2007 from 2006’s $6,278, taking only 25 hours to clean up the mess in 2007, compared to 40 in 2006. However, the breaches continue to march on with a slight increase in the first half of 2008 (173 breaches) over 169 in the same period of 2007.

In further confirmation, a recent Javelin study found that identity theft is decreasing at the same rate after these state laws were enacted as it was before. According to the FBI, Internet fraud schemes in 2007 accounted for consumer losses of $239 million, compared to $198 million in 2006. In the actual Carnegie Mellon study, page nine, there is a graph illustrating that states without ID theft laws actually increased in the crime at a slower rate than states passing laws in 2005, but only slightly faster than states enacting the legislation in 2006.

Finally, state identity theft laws will not work in the long run, first, because the complexity of dealing with 51 different pieces of legislation is not realistic for business. Second, because many of these state legislatures have limited resources for research, some notification laws end up with loopholes such as allowing the breacher to decide if the loss of personal data could or would cause a loss to the consumer.

By the way, congratulations to Ephemerallaw for being named in the top 100 civil liberties advocacy blogs.

Jack E. Dunning
The Dunning Letter