In Defense of Breach Notification Laws (sort of)


Note: This article was originally published on the Security Catalyst Blog.

Starting with California’s 2003 law, all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped.

Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused.

Measures of BNL Success

With five years of breach notification law experience, it is essential to ask, “Are they working?” My shorthand answer is “yes, sort of.”

I’ll be the first to admit that breach notifications are noisy, and contain a strong element of political theater. Some contend that notification laws may even be harmful, distracting and confusing consumers into thinking they aren’t at risk if they don’t receive a notice. I agree that as currently written, breach notification laws have several shortcomings. But their success or failure should be measured in several ways:

  1. Decreased Incidence of Identity Theft
  2. Increased Awareness and Identity Control
  3. Decreased Risk Behaviors and Incidence of Breach
  4. Increased Victims’ Rights

1. Decreased Incidence of Identity Theft

Q: Do breach notification laws decrease identity theft?

A: Probably not. Several breach notification laws emphasize the need to protect consumers from identity theft and other misuse of a person’s Data Self. However, researchers Sasha Romanosky, Professor Rahul Telang, and Professor Alessandro Acquisti presented a well-reviewed paper which measured the change in the rate of reported identity thefts before and after data breach laws went on the books. Though drawn from incomplete FTC data, the paper convincingly demonstrates that breach notification laws have a negligible effect on reported identity theft rates. Instead, they suggest that a state’s gross domestic product and general fraud rate has a much stronger correlation with ID theft.

2. Increased Awareness and Identity Control

Q: Do breach notification laws increase identity risk awareness? How about consumers’ control over their identities?
A: Yes, to varying degrees. A cruel irony of data breaches is that the responsible organization is the only one who knows exactly what happened, and they have the strongest incentive to hide or skew the details. Many breaches go under- or unreported, regardless of law. Even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. In order to effectively empower consumers to conduct their own risk analysis, breach notifications must contain the following elements:

  • Who: The class of victims affected by the breach.
  • What: A complete list of exposed information, not just the ones required by law.
  • Where: Exposing entity’s contact information.
  • How and When: Sufficiently detailed information about the how and when the breach occurred.
  • How Much: Total number affected, Sensitivity of information exposed, Duration of exposure, and Distribution method (ie, stolen laptop, online exposure, or dumpster).
  • What Now: A clear statement of consumer’s legal rights (or lack of rights); Concrete actions taken by the organization to fix problems, mitigate risk, or remedy harm; Suggested actions for the victim.

Of course, breach notification laws have much more lax reporting requirements than these. And although I agree that the average breach announcement is “noisy,” I think it would be a mischaracterization to label them as nothing more than “noise.” Even the least specific notifications build public awareness. For better or worse, most public awareness of identity risks come from news bulletins about data breaches. Although none of the announcements may put any particular individual on notice of a personal risk, these “noisy” notifications have a net positive effect of educating the population at large.

3. Decreased Risk Behaviors and Incidence of Breach

Q: Do breach notification laws decrease individual risk behavior?
A: Probably Not, but they have the potential to. An effective notification must contain actionable intelligence, which means Intelligence plus Action. For example, imagine that you are in a life raft in the middle of the ocean, with no hope of immediate rescue. You see bubbles. What do you do? You sink. You were able to gather intelligence, but had no way to act upon it. Intelligence without action breeds inaction.

However, imagine you’re on the same raft, and you see bubbles. But this time you have a patch kit and a hand pump. This time you have actionable intelligence, and you will likely attempt to patch the raft and pump it up.

An alert is only effective when it empowers a person to act. Typical breach announcements usually do nothing to empower individuals. Effective breach notifications require both intelligence and action. If either one of these elements is missing (as is often the case), it will fail to empower victims, and may even engender apathy.

Some suggest that in the current environment of data insecurity, consumers should be on constant high alert for identity theft, even without notice of a breach. After all, your Data Self is constantly being traded without your knowledge or consent in IT and business environments of questionable reputes.

It’s a nice thought, but not very helpful. Being on high alert all the time is essentially the same as not being on alert any of the time.

Q: Do breach notification laws encourage organizations to improve behavior?
A: Probably yes. The Romanosky paper found that notification laws likely encourage businesses to take more stringent safety precautions with personal information, because of the economic incentive to avoid breaches. However, the incentives to secure data do not appear to outweigh the market forces which devalue privacy. Both the Privacy Rights Clearinghouse and the OSF Data Loss Database show a steady, and perhaps even increasing number of breach incidents and lost records each year. While part of this increase may be attributable to better reporting, there is no solid indication that data breach incidents are decreasing.

4. Increased Victims’ Rights

Q: Do Breach Notification Laws Create New Rights for Consumers?
A: Absolutely yes. While not the silver bullet to cure all ails, breach notification laws are an important first step at creating rights for victims of breaches. Before BNLs, nobody had the right to know whether their Data Self had been compromised. Additional legislation will be necessary to address existing and emerging identity threats. Especially as Data Selves are treated as property, our society runs a risk that the unregulated trade of personal information could morph into a new form of digital human trafficking.

Legislative Improvements

Breach notification laws are a first step in regulating the trade of Data Selves. The right information at the right time, given to the right people, coupled with a clear course of action will empower people and catalyze change. Here are six legislative suggestions to effectively protect and empower consumers:

  1. “Stewards,” not “Owners”: Given the tenuous and dangerous legal basis for “owning” personal information, notification laws should replace the concept of “personal information owners” with “personal information stewards.” This change would help sharpen the distinction between Data as Self versus Data as Property, and emphasize that third parties can’t “own” a Data Self. When Self is Data and Data is Property, then we run the risk that Self becomes Property.
  2. Expand Reporting Requirements: Breach notifications should provide actionable intelligence, including who, what, when, how, how much, and “what now?” of each breach.
  3. Standard Measures of Risk: I suggest using Size, Sensitivity, Duration, and Distribution.
  4. Presumptive Loss: In order to successfully sue for a breach, a consumer must 1. Become an actual victim of identity theft, 2. Find the identity thief, 3. Prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and 4. Prove that the entity had a legal obligation to keep that information private (a rare duty). This is an unreasonable and often insurmountable burden of proof. Instead, Tennessee has adopted a small presumptive “ascertainable loss” whenever a breach occurs. These nominal damages would recognize harm to reputation, apprehension, emotional distress, and violation of selfhood. They would also help counteract the market’s failure to value privacy
  5. Require a Data Audit Trail: Stewards of personal information should maintain standard inventory controls on personal information, recording with whom and when the personal information was shared. This data trail would be used for data audits and could help establish causation in the case of a breach.
  6. Automatic Credit Reporting: Consumers should get an automatic notification at any activity on their credit.

Aaron Titus is the Privacy Director for the Liberty Coalition and runs National ID Watch, and welcomes feedback.


Footnotes

Cal. Civ. Code 1798.82-84.
See, e.g. N.H. Rev. Stat. 359-C:2.
See, e.g. Ga. Code 10-1-910(4),(7).
See, e.g. Cal. Civ. Code 1798.81.5.(a).

Tenn. Code 47-18-2102(1).

  1. No comments yet.
(will not be published)