PFF Study Faults Data Breach Notification Mandates
WASHINGTON D.C. - State and Federal lawmakers should proceed with caution when considering notification legislation addressing the perceived growth of data security breaches, according to a new paper released by The Progress & Freedom Foundation. "An Economic Analysis of Notification Requirements for Data Security Breaches," authored by Senior Fellow and VP for Research Thomas Lenard and Adjunct Fellow Paul Rubin, finds the costs of such notifications to businesses and consumers are likely to be substantially higher than the benefits.
Lenard and Rubin, the Samuel Candler Dobbs Professor of Law and Economics at Emory University, address various economic factors to analyze the real cost of notification mandates. "The annual costs of identity theft and related frauds are $55 billion, $50 billion of which are borne directly by businesses, including banks, credit card issuers and merchants. Firms also suffer large losses in stock value when security is breached. These factors provide strong incentives for companies to spend money on data security," explain Lenard and Rubin. "The expected benefits to consumers of a notification requirement are extremely small--on the order of $7.50 to $10 per individual whose data have been compromised. This is because (1) most cases of identity theft do not involve an online security breach; (2) only a very small percentage of individuals compromised by security breaches--perhaps 2 percent--actually become victims of a fraud; (3) most of these are victims of fraudulent charges on their existing credit accounts, for which they have very limited liability, rather than victims of true identity theft; and, (4) even a well-designed notification program will only eliminate about 10-20 percent of the expected costs."
The authors also address the current trend of state laws regulating notification. "Federal preemption of state notification laws will reduce compliance costs and improve the benefit-cost balance. A true federalist approach is not possible with markets and firms that are national, and even international, in scope. Firms will tend to comply with a single set of rules. In the absence of a preemptive federal statute, they will comply with the most stringent set of state regulations, which will in effect "preempt" other state regulations."
Lenard and Rubin conclude that, "Because a notification mandate is dubious on benefit-cost grounds, it should be targeted carefully. Firms should be able to determine which customers are most at risk and tailor notice to those individuals, perhaps in cooperation with the FTC. Encrypted data should be exempt from notice, because it is less likely to be used for fraudulent purposes."
The study's release comes on the heels of increased activity at the state and federal level addressing the highly publicized data security breaches in recent months. In addition to legislation already adopted in 13 states, several Senate bills relating to data security and privacy are being considered in the Senate Commerce and Judiciary Committees. Members of the House Commerce Committee are also circulating a draft bill that could be introduced and marked up at the subcommittee level before the upcoming August recess.
The paper's release also coincides with the PFF Congressional Seminar "Data Security and Privacy Protection: What is the Public Sector's Role?" to be held Friday, July 22 nd . In addition to the participation of Lenard and Rubin, the panel will feature former Federal Trade Commissioner Orson Swindle; former Director of the FTC's Consumer Protection Bureau Howard Beales; Chief Counsel of the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection David Cavicke; and Executive Director of the Electronic Privacy Information Center Marc Rotenberg. The event will be held Friday, July 22nd, from 12 - 2 pm, at the Rayburn House Office Building, Room B369. Please visit our website for information and online registration.
The Progress & Freedom Foundation is a market-oriented think tank that studies the digital revolution and its implications for public policy. It is a 501(c)(3) research & educational organization.