US data breach laws a waste of time
They sound great but do little, claims one legal eagle.
By Bart Lazar, Computerworld (US) | Techworld | Published: 11:00, 12 June 2008
The database security laws passed by 39 states cause businesses substantial expense. Although the goal of these laws is to prevent identity theft, there is no credible evidence that demonstrates that the supposed benefit to consumers outweighs the administrative burden and expense caused to companies.
Because the alleged benefits are illusory, a company's time and resources would be better spent on proactive efforts to prevent data breaches.
With security breaches at major companies frequently in the news, legislators feel pressured to pass laws to protect consumers. No politician wants to be viewed as being soft on identity theft. However, legislatures have not passed proactive laws that would prevent theft, but reactive ones that impose substantial burdens on companies.
Typically, database breach notification laws require companies to send notices to all persons whose data is likely to have been accessed by an unauthorised party. There are many variations in the statutes. Some states, like Massachusetts and North Carolina, require notifications if there is a theft of paper data and electronic data. Massachusetts, New Jersey and New York are among the states that require companies to notify law enforcement agencies and/or the state attorney general in the event of a breach. A provision of some statutes is that consumer reporting agencies like Experian, TransUnion and Equifax be notified.
In every case, though, the notifications come after the fact. What's more, there seems to be no evidence supporting a causal connection between these types of security breaches and identity theft. For example, though security breaches appear to occur frequently (information is difficult to gather), identity theft is actually going down, at least according to Javelin Strategy & Research's 2008 identity theft survey.
In addition, Javelin's findings indicate that the vast majority of identity theft issues arise, not from security breaches relating to data held by third parties (which is what the state database security laws typically address), but from telephone scams, lost wallets and security breaches on consumers' own computers because of failure to use proper software.
In any event, there does not appear to be compelling evidence that consumers are able to avoid identity theft by receiving notifications when their electronic data may be subject to a security breach.
Similarly, enforcement of these laws does not really protect consumers. Companies are spending serious money on notifications, millions that could be better spent on improving security procedures, technology and training. According to the Ponemon Institute's 2007 study on the cost of a security breach, companies spend almost $200 (£100 approx) per name breached. That money goes to, among other things, lawyers like me, private investigators, forensic experts, credit bureaus and insurance companies. But if all that money does not help consumers prevent identity theft, what is the point?
Enforcement of these laws may not help consumers, either. In the only enforcement of security breach laws by the New York attorney general, the defendant company was prosecuted even though it had hired a private investigative firm and gotten the FBI involved. In fact, the FBI actually recovered the computer equipment that had been stolen and stated that the information was unlikely to have been used. The attorney general alleged that the company had unreasonably delayed sending out notifications. But what purpose did those notifications ultimately serve if the data was recovered?
Even if the attorney general was correct in alleging that the company sent out notifications later than it should have, was this a reason for an extensive investigation and law enforcement proceeding? Let's remember that the purpose of the database security breach laws is to prevent consumer harm, and there was no harm to consumers in this case. (Full disclosure: I represented the defendant in this case.)
Ultimately, the privacy and security interests of our citizens may be better served if the money spent on reacting to security breaches as part of a legislated incident response instead was invested on a proactive basis into security infrastructure and training.
Bart Lazar is a Certified Information Privacy Professional and partner at Seyfarth Shaw LLP. He practices in the fields of trade regulation and intellectual property law and is the leader of Seyfarth Shaw's national privacy and security practice.