[Infowarrior] - Do Breach Notification Laws Work?

Richard Forno rforno at infowarrior.org
Thu Mar 12 11:47:43 UTC 2009 

Do Breach Notification Laws Work?
By Kim Zetter EmailMarch 09, 2009 | 9:00:00 AM

http://blog.wired.com/27bstroke6/2009/03/experts-debate.html

Consumers caught in a national epidemic of data spills are growing  
numb, discarding breach notification letters as junk mail rather than  
acting to protect their identity, experts say.

And though most states now have laws requiring companies to warn  
breach victims, some serious breaches are still showing up on customer  
credit and bank statements before any official warning has been  
issued. It all begs the question: are the notification laws working?

This was the question that a number of speakers at the Security Breach  
Notification seminar held in Berkeley on Friday (at right) tried to  
answer.

When California passed the first data breach notification law in 2003,  
it quickly became the defacto standard for the rest of the country. A  
total of 44 states now have breach notification laws, which vary only  
slightly in their definitions of what constitutes a breach that  
requires notification and what companies must do when they experience  
a breach.

It's clear that the laws have made the public more aware of breaches  
and the vulnerability of their data, and have exposed poor security  
practices at many businesses. A 2005 study by the FBI showed that in  
the absence of a legal requirement to report breaches, only 20 percent  
of firms would report serious breaches to law enforcement.

But beyond this transparency benefit, speakers said, it's unclear what  
other benefits the laws have had. There are even suggestions that the  
laws have had some detrimental effects on consumers and companies.

Breach notifications should, theoretically, reduce the number of  
incidents of identity theft or fraudulent charges to credit cards if  
consumers take proper precautions once they receive a notification --  
such as placing a fraud alert or freeze on their credit account and  
monitoring their account bills and statements for suspicious  
transactions.

But in some cases, customers discover fraudulent charges on their  
cards or become victims of identity theft before a company is even  
aware its computers have been breached, making the breach notification  
redundant for those consumers.

There's also the "cry-wolf" effect.

As notifications have become more ubiquitous -- 55 percent of  
respondents in a survey by the Ponemon Institute last year said they'd  
received two or more notices within 24 months -- many consumers have  
become inured to them, simply tossing them in the trash rather than  
acting on them to protect their identity.

When the Choicepoint datamining company was breached in 2004 -- the  
breach that put California's breach notification law on the map -- the  
company offered credit protection and monitoring services to those  
whose information had been compromised. But the company later said  
that fewer than 10 percent of 163,000 people called Choicepoint to  
take advantage of the offer.

Consumers have often complained that notification letters provide no  
clear instructions for what they can or should do to protect  
themselves after their information has been breached and therefore  
many take no action to protect themselves after being notified that  
their information was breached.

According to a study (.pdf) conducted by Alessandro Acquisti,  
professor of information technology and public policy at Carnegie  
Mellon University, and his grad student Sasha Romanosky, there are  
arguments to be made both in support of and against breach laws.

On the one hand, data breach laws are helpful in leading companies to  
install encryption and to devise new access controls and auditing  
measures on their networks. They also lower consumer losses and  
damages in terms of time and money, although the researchers offered  
no statistics on this.

On the other hand, they said, the laws cause firms and consumers to  
incur what could be deemed unnecessary costs in the face of unclear  
risks. They pointed to the Ponemon survey, which found that only 2  
percent of respondents who said their information had been breached  
experienced identity theft as a result of the breach. This would mean  
that money spent on credit monitoring services in these cases would do  
little but enrich the monitoring services.

[It's worth noting that this low rate of identity theft was touted  
heavily by the Ponemon Institute when it released its study last year.  
But the same survey also found that 64 percent of respondents were  
unsure if they'd been a victim of identity theft -- showing how  
unreliable surveys on identity theft can be. Most victims don't know  
they're victims until they try to take out a loan or find themselves  
placed in collection for failure to pay a bill. And sometimes  
criminals hold onto data a year or more after a breach before they use  
it, meaning that consumers whose data is stolen may report that the  
breach didn't result in identity theft for them when in fact it may  
show up at a later date.]

When it comes to reducing identity theft rates, it's hard to know what  
effect the laws are having. The researchers examined statistics from  
the U.S. Federal Trade Commission for identity theft rates between  
2002 -- before breach laws were passed -- and 2007, and found only  
about a 2 percent reduction in identity theft incidents related to  
data breaches in 2005.

But they cautioned that the data is inconclusive, particularly because  
it's often difficult to correlate an incident of identity theft with a  
specific breach for the reasons I mentioned above -- that criminals  
will sometimes hold on to stolen data a year or more before trying to  
use it, making the rate of identity theft appear to go down when it's  
really only delayed. There's also a problem with the FTC data itself,  
since it represents only incidents of identity theft that consumers  
report to the FTC, not actual incidents of identity theft.

There are additional questions worth asking about what effect breach  
notifications have on the relationship between customers and the  
breached entity. Consumers often express anger and mistrust toward  
companies that lose their data, but it's unclear how often that anger  
translates to action. According to Deirdre Mulligan, a professor of  
information technology law and policy at UC Berkeley's School of  
Information, a Ponemon study found that about 20 percent of  
respondents claimed to have terminated their relationship with a  
company after discovering that the company experienced a breach.

But a separate survey of companies found that the percentage of  
customers who actually do terminate their relationship with a company  
is less than 7 percent. Both numbers should be taken with a grain of  
salt, , however. Consumers, Mulligan told Threat Level, have a  
tendency to say they're going to do one thing when they actually do  
another, and companies also can't be relied on to honestly report the  
numbers of customers they lose from a breach.

All of this leads to the main takeaway from Friday's seminar -- data  
on breach notifications and their after-effects is still very poor and  
unreliable. In fact, this seemed to be the refrain from most of the  
speakers. There just isn't enough evidence to show definitively one  
way or another yet whether notification laws have been a boon or a bain.

More information about the Infowarrior mailing list