Evaluating Data Breach Disclosure Laws
posted by Sasha Romanosky
I imagine most of you have received one or more letters from companies informing you that they lost your personal information. If so, what, if anything, did you do about it? Did you check your credit history?; close a financial account?; something else?; or nothing at all? If you did act, you likely did it to reduce your risk of suffering identity theft. My research question is: did it work? This is something that I’ve been examining for a number of years now.
In a paper coauthored with Rahul Telang and Alessandro Acquisti at Carnegie Mellon University, we empirically examine the effect of data breach disclosure (security breach notification) laws on identity theft. For a policy researcher, this represents a fantastic opportunity: a clear policy intervention (adoption of laws across different states), a heated controversy regarding the benefits and consequences of the laws that is both practically and academically interesting, good field data, and a powerful empirical analysis methodology to leverage (criminology).
An initial version of the paper used consumer reported identity theft data collected from the FTC from 2002-2006. Using just these data, we found a negative but not statistically significant result. In fact, I was quoted as saying, “we find no evidence that the laws reduce identity theft.” And it was true, we didn’t.
However, we have since augmented that work to include data up to 2009, which allowed us to include more observations, allowed the law to exist for longer, and allowed companies to adapt to them, and perhaps empowered more consumers to take action. We find that the laws did, indeed, reduce identity theft by about 6%. Moreover, we can say that we have a fair amount of confidence in this estimate because the results hold up to many kinds of permutations and transformations — which is very nice to see.
Interpreting the magnitude of that estimate is another issue. Is 6% good? Is it big? That’s an important question, and one to which I wish I had a better answer. If it’s true that the losses from identity theft to companies and consumers are in the tens of billions (say, conservatively, $40B), and that data breaches cause around 20% of all identity theft (a rough estimate based on the limited data we have), then a 6% reduction represents a savings of $480M. Not bad.
So if that’s the benefit, then what’s the cost of the laws? As a researcher, one way to gauge the law’s success (at least, in part) is to compare this estimated benefit with the costs that companies incur because of the laws. There is a cost to compliance, after all — costs that companies would otherwise not have borne but-for the laws. If it’s the case that the costs are greater than this 6% benefit from reduced consumer identity theft, is it still possible that the laws are worthwhile? How would we even go about answering that?
One of the interesting consequences of the data breach disclosure laws has been to raise awareness of breaches and resulting privacy harms. And what happens when people are harmed? They tend to sue. Danielle Citron and Daniel Solove (among others) have written about the difficulties that plaintiffs face when bringing legal actions against companies for data breaches. Nevertheless, the lawsuits do have an effect: they force companies to internalize some portion of consumer loss (fraud, etc.). But I argue that this loss isn’t fixed – it changes based on how much effort consumers take to mitigate losses (i.e. remember those steps you took after receiving that breach notice?). This creates an interesting dependency among the portion of costs borne by the company versus the portion borne by the consumer. But moreover, the laws impose a real cost on the firms, too, in what I’ve described as a ‘disclosure tax.’
The fascinating outcome of all this is that the change in social cost (the net change in company and consumer losses) is very unclear. Social cost may increase because of this new disclosure tax, or it may decrease because newly-informed consumers are reducing their losses. But if a company’s investment in data security increases with consumer losses (say, from greater liability) and if those losses are declining (because of these disclosure information), this suggests that companies could end up spending less on data security.
I find the study of these dynamics very interesting because I think the topics are important (data breaches, disclosure laws and consumer loss) and, as I mentioned, the outcome is quite uncertain. But moreover, this affords us an opportunity to apply analytical modeling in order to better understand how (and why) company and firm incentives change, and the conditions under which overall social costs can decline. I’ll discuss more about the modeling approach in another article.
December 1, 2010 at 6:04 pm
Tags: data breach disclosure laws, identity theft, security breach notification
Posted in: Cyberlaw, Economic Analysis of Law, Empirical Analysis of Law, Privacy
Print This Post
Responses (5)
Chris - December 2, 2010 at 10:06 am
I’m sure the modeling on this is complicated enough, but I suspect that there are also hidden benefits that payment of this disclosure tax brings.
If firms which otherwise would be sloppy begin to operate more regularly, they may see that it pays off in the form of less unscheduled downtime, etc. In a sense, these laws may — in part — act as a form of Service Level Agreement, with firms agreeing to pay an embarrassing and costly disclosure tax if they do not deliver according to the SLA. Just as — I would argue — contractual SLAs with penalties cause IT organizations to pay better attention to performance, laws such as these may have similar effects. I have no idea how I’d attempt to measure them :^).
Chris Cosner - December 2, 2010 at 2:09 pm
Sasha, can you explain what you mean by ‘social cost’? Is it an aggregate cost for all parties? Is it purely monetary? If so, what would be its ultimate measure? GDP?
Sasha - December 2, 2010 at 2:11 pm
Hey Chris, thanks for the comment.
What you describe is indeed, a possible outcome: a positive externality from additional security investment (spillovers to other departments, perhaps). You could also include any sort of resilience to outage or security incident because of these investments.
While we do not specifically model this effect, you might approach it this way: since the benefits are all internalized by the firm, the effect might be to just proportionally reduce the cost of investment. The important thing, though, is whether this change just ends up shifting curves one way or another, or whether it fundamentally alters the shape of some function. The latter would qualitatively change the result, while the former would not.
cheers,
sasha
Sasha - December 2, 2010 at 2:18 pm
Chris (Cosner),
Thanks, and sorry for not being more clear. What I’m considering as social cost is really just the sum of the cost to the consumer and the firm (the breached company).
In these economic models, one often considers the behavior (e.g. cost of security investment) to one firm and one consumer. The ‘social cost,’ then, is literally just the sum of these two costs. You can easily expand that to consider costs to all firms or all consumers just as you suggest, but then you easily lose focus on your question of interest.
cheers,
sasha
Sasha - December 2, 2010 at 4:02 pm
For those interested, the full paper is at http://ssrn.com/abstract=1268926.
Leave a Reply