Three Policy Interventions for Reducing Privacy Harms
Thanks so much to Danielle and Concurring Opinions for inviting me to blog. This is an exciting opportunity and I look forward to sharing my thoughts with you. Hopefully you will find these posts interesting.
There are many policy interventions that legislators can impose to reduce harms caused by one party to another. Two that are very often compared are safety regulations (mandated standards) and liability. They lend themselves well to comparison because they’re generally employed on either side of some harmful event (e.g. data breach or toxic spill): ex ante regulations are applied before the harm, and ex post liability is applied after the harm.
A third approach, one that we might consider ‘sitting between’ regulation and liability, is information disclosure (e.g. data breach disclosure (security breach notification) laws). I’d like to take a few paragraphs to compare these alternatives in regards to data breaches and privacy harms.
Ex Ante Safety Regulation
First, safety regulations are minimum operating requirements or licensing restrictions, and are ideally enforced before some company (or product) comes to market and before any harm has occurred. They are also generally enforced by public entities like state or federal agencies, though, a good example in data security is the industry self-regulated Payment Card Industry Data Security Standard (PCI DSS). PCI imposes minimum security protections for IT systems that process payment card transactions. Other examples include drivers (or any other kind of operating) licenses, building safety codes, etc. A relevant characteristic is that sanctions can be imposed from simply violating the regulation, even though no harm has yet occurred. Think of how speeding tickets are issued.
Mandated standards are clearly desirable (even necessary) in order to prevent catastrophic accidents and injuries, such as nuclear disasters, or cyber-incidents affecting critical infrastructure. More specifically, ex ante safety regulations are useful when only the average level of harm is observable, when the true source of the harm is unknown, or when alleged victims can only estimate (not prove) an increased probability of harm. These conditions seem to describe data breaches identity theft fairly well, don’t they?
However, mandated standards face serious criticism because they may only be loosely correlated with the actual harm. For example, some suggest that mandating data encryption will reduce breaches, thereby reducing identity theft. Is the correlation between more encryption and less identity theft strong? Empirical evidence suggests that mandated encryption of consumer health data has resulted in more, not less, privacy breaches (Miller and Tucker, 2010).
Mandated standards may also create perverse consequences. For example, consider a manufacturing company that receives a safety violation. Rather than investing in a safety training program and hiring a formal safety manager, the company simply hires a lawyer to defeat the allegations. Safety regulations, like any compliance regime, also risk driving adherence to the compliance check lists, rather than actually improving a company’s security posture. This can also contribute to the ‘false sense of security’ that many security professionals describe.
In sum, ex ante safety regulations appear, at best, to be necessary in preventing catastrophic accidents, and at worst, only loosely correlated to the actual harmful events: they drive companies to compliance, rather than reduce the harm. Despite these criticisms, however, there is a very strong argument supporting this approach: it’s easier to monitor compliance before an accident (ex ante), than to measure the total harm afterwards (ex post).
Ex Post Liability
Ex post liability, of course, holds the injurer accountable for any damage suffered by the victim. As many readers likely know, a liability regime is very useful (or at least, imposes less social cost) when the number of injured parties is low and when the injurer is identifiable and within a court’s jurisdiction. Liability is also preferred when the harm is better known by the victim rather than the State, and when it is clearly quantifiable and legally recognized.
Do any of these sound like they describe data breaches and identity theft very well?
Moreover, as with safety standards, ex post liability serves to optimize the level of care taken (i.e. security precautions) by an injurer, not minimize the harm caused.
The difficulties in recovering losses are clear in data breach lawsuits, as has been discussed on this site before. Indeed, to my knowledge, there has been no judicial ruling favoring a plaintiff. Instead, most often these suits are resolved through motions to dismiss for lack of standing or summary judgment, mainly because plaintiffs can’t demonstrate actual harm. Only sometimes are suits settled out of court, in which cases plaintiffs may only receive 1-2 years of credit monitoring.
What I am keeping an eye on, however, are these set of new state laws that hold merchants strictly liable to banks for data breaches resulting in the replacement of payment cards (HB 1149 in Washintgon state and HF 1758 in Minnesota). Privacy and data security litigators reading this Blog would certainly be more informed (and please comment if you are), but it strikes me that a liability regime would be much more successful in this case because: the injurer is known, there is physical loss (cost of reissuing the payment card), and causation is clear.
If ex ante regulation is a prevention device, and ex post liability is a recovery device, information disclosure could be described as a correction device. That is, an event has occurred (a data breach or toxic spill) which may — but has not yet – created actual harm (identity theft, illness). This is a wonderful type of intervention because it doesn’t force companies to do anything more than notify potential victims. For this reason, it’s considered a light-handed paternalistic approach.
The idea, of course, is that by notifying people, you empower them to take action and reduce their potential losses. The problem, however, is that rather than empowering people, notification could instead burden them. Perhaps some of you experienced this after reading a breach notification letter: compare your risk of suffering identity theft without taking any action to your risk of suffering identity theft by taking some action. Then consider the incremental effort required to take action. What should you do? Right, I don’t know either. It’s hard. Introduce other behavioral issues like optimism bias (consumers perceiving their chances of suffering identity theft to be very low), rational ignorance (consumers believing the cost of taking precautions outweighing any benefits they may receive), and status quo bias (consumers’ own inertia inhibiting them from anticipating the consequences of identity theft and responding) and things become very complicated.
Disclosure, it seems, becomes most useful for people who: lack information (or are misinformed), will understand the information being provided, who understand the consequences of both acting and not acting, and are willing (and able) to respond to the new information.
I’m curious: what kinds of disclosure notices can you think of, and were they helpful to you? (e.g. cigarette labels, web or flash cookie messages, nutrition labels posted in fast food restaurants).
(Alessandro Acquisti and I present a full analysis of these three interventions in the context of data breaches and privacy harms in this paper: http://ssrn.com/abstract=1522605.)