Wednesday, June 11, 2008

Value of Security Breach Notification Laws

This article from Computer World advances a position which I find truly bizarre: that security breach notification laws don't help people. The article's reasoning (and I use the term loosely) seems to be that notification laws only require action after a breach takes place, so they really don't prevent identity theft. It would be better for consumers, according to the article, if the money companies now spend on complying with security breach notification laws were instead spent on security that might prevent identity theft. In any case, the article points out, more identity theft takes place due to telephone scams, lost wallets, or consumers who don't properly protect their computers. Basically, the article minimizes the harm caused by security breaches, and tries to argue that the money spent notifying consumers of the breaches would be better spent elsewhere.

Frankly, it's hard to know where to begin criticizing the article. My immediate instinct is to slam the prose. The author has a terrible habit (epidemic in lawyers, I'm sad to say) of asking rhetorical questions and making mealy mouthed equivocations rather than just taking a position. For example, the author points out that "Enforcement of these laws may not help consumers, either." So there's a possibility that consumers may not be helped by enforcing laws. Similarly, it's possible that the sun may not rise in the east tomorrow. If the author really feels that security breach notification laws don't help people, he should say so, rather than couching his arguments in insubstantial speculation and rhetorical questions.

However, while my instinct is to slam the prose, I think it's more important to recognize that the logic underlying the prose is really, really bad. The primary mistake the author makes (and it's a doozy) is to assume that the only benefit which can come from security breach notification acts is to prevent identity theft. That's simply nuts. The primary benefit of the notification acts is that, because of them, people are notified when there's a problem. Without notification laws, businesses would never go public about security breaches, and what is indisputably a major public policy issue would simply be swept under the rug. Perhaps the author of the article thinks ignorance is bliss, but I prefer that problems be widely acknowledged so that they can be addressed. A secondary mistake the author makes is that he assumes that the more money businesses spend complying with notification laws, the less money they'll spend on security. This doesn't make sense. If businesses could sweep security breaches under the proverbial rug, they would spend even less on security. The high cost of security breach notifications (in terms of both money and bad PR) will cause companies to spend more on security, not less.

I could go on almost indefinitely about what's wrong with the author's position, but I won't. Instead, I can illustrate with a simple analogy: if the author were arguing that statutes requiring businesses to notify consumers when there was a toxic waste spill were ill conceived because they diverted money which would otherwise be used preventing spills, he would be treated as a laughing stock. While drinking toxic waste is clearly a more direct threat to health than a data security breach, it's no more logical to allow the release of personal data to be swept under the rug than it is to allow the release of toxic waste to be covered up.

No comments: