Sunday, June 22, 2008

Measuring the Effect of Security Breach Notification Laws

How do you measure the effectiveness of security breach notification laws? One way is to take data on how many consumers report that they were victims of an ID theft due to a security breach, break the data down by state, and compare the states which do have security breach notification laws with those that don't. If the states that have notification laws have a lower rate of identity theft due to security breach (after controlling for various confounding variables) then you would conclude that the notification laws are effective in reducing identity theft.

The cross-state comparison described above was essentially the approach taken in this paper by Romanosky et al., which attempted to measure whether data breach disclosure laws reduce identity theft. Unfortunately, while measuring the effect of data breach disclosure laws is a laudable goal, I don't think the paper's approach was likely to result in any meaningful conclusion. The biggest problem with the paper's approach is that it didn't appear to adequately take into account the effect of interstate commerce in extending the coverage of existing security breach notification acts to states where those acts haven't been enacted. That isn't to say that the paper ignored this effect. However, its efforts to account for it seemed to focus on interstate movement by people (e.g., students attending an out of state university), when interstate movement of data is almost certainly a much bigger effect (largely because there is a well developed interstate market for data, while such an interstate market for people is prohibited by the 13th amendment). Most security breach notification laws are triggered not only by security breaches at in-state companies, but also by security breaches at out of state companies which expose the data of state residents. This results in a duty to disclose data traveling from the point where the data was collected to anywhere in the country. Similarly, if the data for a resident of a state which doesn't have a security breach notification act is transferred to a state where such an act does exist, the individuals whose data was transferred will benefit from the out-of-state notification law, even if the person has never left their local jurisdiction. Thus, since the effects of security breach notification acts bleed so freely across state lines, trying to measure the effectiveness of those acts by comparing jurisdictions with security breach notification acts to jurisdictions without security breach notification acts is unlikely to yield any meaningful results.

So what would be a better approach to measuring the effect of security breach notification laws? One way would be to compare jurisdictions where transfer of data is either nonexistent or severely limited. Unfortunately, it seems likely that there would be so many other differences between such jurisdictions that meaningful comparisons would simply be impossible. For example, if you were comparing between the U.S. and E.U., how would you control for the effect of the E.U. data privacy directive? Another approach would be to examine relative rates of identity theft caused by security breaches with id thefts caused by something that isn't influenced by security breach notification acts (e.g., dumpster diving). The problem with that though, is that the absolute most common cause of identity theft is "unknown." Thus, it could be that security breach notification laws would actually increase the reported incidence of ID theft due to security breaches, because some ID thefts caused by breaches would move from the "unknown" column to the security breach column. Further, when making that kind of fine grained comparison, it's necessary to have a larger data set than is necessary to simply look at overall rates of ID theft, and such a data set might not be available. The bottom line is that measuring the effectiveness of security breach notification acts is hard, and if there is a good way to do so, it isn't clear what it is.

1 comment:

John Taylor said...

I am also curious as to the scope fo these notification laws. As in California (sb1386), the majority of them are limited to unencrypted data held on computers. The Massachusetts law seems to be much broader and includes hard copy data. From what I have seen "investigative" language in most instances allow the company to delay notification almost indefinitely if an investigation is ongoing to find the source of the breach. It seems to me that these are largely toothless laws if the thrust is to notify potential victims in a timely manner so they can be on guard to protect themselves.

As gratelful as I am that these laws exist I can't help but to be frustrated by the shortsightedness regarding identity theft. Ideally we should have laws that are designed to protect the individual victim while at the same time provide for a penalty to the company for not acting in a timely fashion when a breach or loss occurs. Like anything it is sad to say that business will not take this seriously until the 800 pound gorilla sits on them first.
Just a thought,