Security breach notice laws: evidence?
"Data security" is a new mantra with many faces. One face involves "security breach notice" laws now in over fifteen states and being considered by Congress. We need to pause and ask whether these laws create or solve a problem. Whether these are good or bad laws remains to be seen, but they have been enacted rapidly and are not uniform. They reflect an increasingly common rush to legislative judgment that we have seen on various Internet and digital information "problems."
It is not true that every social issue or problem requires a legislative or judicial solution; most should be left to be solved by the open market or the common sense of the people involved. But it is true that new laws sometimes change society in important ways, but these not always predictable and often unintended. Of course, some new laws simply impose costs without having a significant impact on the problem they were to address.
What is the most likely impact of breach notice laws? We don't know.
Several things are clear, however.
First, the laws conflict with a fundamental tenet of U.S. law - if you acquire knowledge of a fact other than in a confidential context, you can use, disclose or ignore that information as you choose so long as you do not commit fraud or the like. The ability to use factual information properly acquired is central to our culture. There are exceptions, of course. But the general rule, especially for publicly known information is that, if you know it, you own it in the sense of being free to use it for legal purposes.
Second, as described by Holly Towle, a leading expert in this field, the statutes are non-uniform in their requirements, reflecting the speed and resulting lack of reflection under which they have been adopted.
Third, putting aside their non-uniform details, breach notification rules require a company holding certain data about individuals to notify the individuals if a breach of the company's security occurred (or looks like it occurred). The bad actor is not involved - that person will be punished under other laws if caught. The new breach notification laws pertain to two victims: the company (actual victim) and the person whose information may or may not have been compromised (potential victim). The notification rule require that the actual victim incur costs to notify the individuals about whom the "at risk" data pertain.
Fourth, these statutes are not needed to deter or penalize the type of fraud, identity theft, or other misbehavior that proponents fear - a variety criminal and identity theft laws already do that. Indeed, it is not clear how many cases of security breach actually result in fraud or identity theft. One source estimates that over 50 million individuals received or have been entitled to notice. In addition, many people receive fraudulent notices. Some undetermined percent of both groups have been victimized by eventual fraud. But we don't know how many. And some "studies indicate that the amount of actual harm in so-called identity theft is far less than some activists claim.
Nevertheless, the statutes have become popular. One reason is that they reflect a modern fear of identity theft and, perhaps, the belief that the financial harm of various forms of identity theft has not already been shifted in law from the individual to a company, such as a bank, a merchant, or a credit card issuer. The goal seems to be that, by requiring notice to the potential theft victims, those people will be better able to protect themselves and their property by taking prompt action to avoid likely fraud. This hope makes a number of empirical assumptions on issues about which very little is now known.
One question is: are we obtaining sufficient protection from likely fraud to justify the costs involved, including the restructuring of businesses, erosion of basic principles about who owns or controls publicly available factual information, and the risk of fraud that the notice system itself creates?
The first study relevant to this was funded by the New York law firm of White and Case and conducted by the Ponemon Institute. The study surveyed over 50,000 persons, roughly 18% of whom responded. You should read this study. It contains a very mixed bag of findings that, arguably, one could use to "prove" many different positions. I want to mention only a few particularly interesting tidbits.
Of the respondents, roughly 12% indicated that they had received at least one breach notification. Roughly 39% of those who received the notices initially thought it was junk mail, spam or a telemarketing call. This is 39% of those who eventually concluded that this was an important security breach notice. Think about your own reaction when you receive one of the now ubiquitous notices allegedly from a bank or another entity indicating that your account may have been compromised and asking you to contact a given number. Or worse, think about it when you receive a fake notice. I received one such notice weeks after the original breach notification law was enacted, but it allegedly came from a bank at which I did not have an account! Now ask, how many people simply disregarded the real notice and never discovered that they received something important? On the other hand, the survey says: 50% "knew" that their notice was important from the start -- how many of these actually responded to a fraudulent notice?
The point is not that notices are ineffective, but that notices sent in any form that is feasible create their own opportunities for fraud and mistake.
Of those who "received" a notice, fully 50% did nothing. Only 3% of the "recipients" reported that they had been victimized by identity theft. Both of these should be sobering figures for any legislator interested in creating or expanding this type of law. Equally interestingly, 61% reported that the notice had caused them to be more worried about security, while 5% percent resorted to the all-American response and hired lawyers to pursue legal claims against the company sending the notice.
Finally, perhaps the most important impact of the statutes lies in the fact that, in the survey, 19%of those receiving a notice terminated their relationship with the notifying company, and others were considering it. This fact, coupled with the publicity associated with giving such notices, and the liability risk that may eventually emerge, contributes to what David Bender, a leading expert on privacy law, describes as an "invisible hand" effect. Even in the absence of any litigation or liability, the statutes themselves and the risk of being required to give notice, have created strong incentives for businesses to develop levels of security appropriate to the type of data they hold. Zealots may not regard these levels as sufficient, but evolution of voluntary standards driven by market considerations is an appropriate way of dealing with the issue.
There it is then, for now at least. The notice statutes are having an effect. But their cost (social or economic) is not clear, nor is the extent of the benefit created. I leave this topic open for future discussion.
I agree that governmental requlations are never the right answer in the IT field. This is simply due to the fact that they are always broad and vague in their design to hedge what could be perceived as bad legislation. Where we really need to be concerned, and in fact demand, is in the original programming of all software aplications. If security were a major issue at the beginning of the SDLC, the programs themselves would prevent some types of incidents. If we demanded more secure software, the companies who distribute it would try harder to correctly code their applications to prevent buffer overflows and cross site scripting for example. As consumers, we complained enough to prompt Microsoft to at least try to provide a more secure application suite. If the masses demand a more secure ennvironment, they will eventually get it from the industry. Legislation from a government that is not trusted to even tell the truth, is not now, and never will be the answer. The public needs to demand it from the people whose pockets we line every day with purchaces of their products and services.
If software applications, to include OS's, are security centric from inception, we in the security field will become like the BetaMax. Nice to have around, but not used much anymore.
Professor Nimmer,
What is your position on the data collection performed by search engines? Should SEs be able to keep data for 13-18 months? Should they have access to personal data beyond the computer IP address? Do their privacy policies need to be more specific? Is the information collected viewed as public domain?
Thank You very much.
