In 2009, three researchers at Carnegie Mellon University had announced that the data breach disclosure laws pioneered by California, and soon copied by many US states and nation-states around the globe, did not work. The same researchers have released a follow up, allowing me to toot my own horn.
I had blogged earlier this year about the researchers' conclusions, and provided my own: it's just too early to tell. While the research had covered the years between 2002 through 2007, a total of five years, I had pointed out that most states had not adopted breach notification laws until 2005. This means the CMU researchers were essentially evaluating a two year-old law. For example, in 2002 and 2003, only California had an active breach notification law in place, if memory serves me. It wasn't only the first at passing the law, it also called for safe harbor if encryption software is used. Take out this outlier and the research only covers 2004 through 2007, and, again, the majority of states had adopted their laws in 2005, so 2004 is something of an outlier as well (but not grossly so: I think the number of states with notification laws were in the teens).
I had blogged earlier this year about the researchers' conclusions, and provided my own: it's just too early to tell.
While the research had covered the years between 2002 through 2007, a total of five years, I had pointed out that most states had not adopted breach notification laws until 2005. This means the CMU researchers were essentially evaluating a two year-old law.
For example, in 2002 and 2003, only California had an active breach notification law in place, if memory serves me. It wasn't only the first at passing the law, it also called for safe harbor if encryption software is used.
Take out this outlier and the research only covers 2004 through 2007, and, again, the majority of states had adopted their laws in 2005, so 2004 is something of an outlier as well (but not grossly so: I think the number of states with notification laws were in the teens).
The latest update to the research: We find that the laws did, indeed, reduce identity theft by about 6%. Moreover, we can say that we have a fair amount of confidence in this estimate because the results hold up to many kinds of permutations and transformations — which is very nice to see. The author has also made a rough estimate that the 6% figures correspond to a $480 million reduction in ID theft losses (which I personally find to be optimistic. But, his guess is as good as mine in this case; I certainly cannot come up with a better guesstimate myself). Mr. Romanosky further makes this observation: The fascinating outcome of all this is that the change in social cost (the net change in company and consumer losses) is very unclear. Social cost may increase because of this new disclosure tax, or it may decrease because newly-informed consumers are reducing their losses. But if a company’s investment in data security increases with consumer losses (say, from greater liability) and if those losses are declining (because of these disclosure information), this suggests that companies could end up spending less on data security. [my emphasis] In other words, it could be in the interests of companies not to fight (OK, lobby against) breach disclosure laws, like they did in Massachusetts (companies had complained vociferously about the original rules, forcing the state to change the law twice and delay the introduction of the law by over a year). On the other hand, the above also sounds like it could cycle the other way as well, like in predator-prey cycles. I'm wondering whether the above would have any bearing on this Verizon observation that claims data breach laws won't help reduce data breaches. Could Verizon be working off the old CMU research?
The latest update to the research:
We find that the laws did, indeed, reduce identity theft by about 6%. Moreover, we can say that we have a fair amount of confidence in this estimate because the results hold up to many kinds of permutations and transformations — which is very nice to see.
The author has also made a rough estimate that the 6% figures correspond to a $480 million reduction in ID theft losses (which I personally find to be optimistic. But, his guess is as good as mine in this case; I certainly cannot come up with a better guesstimate myself).
Mr. Romanosky further makes this observation:
The fascinating outcome of all this is that the change in social cost (the net change in company and consumer losses) is very unclear. Social cost may increase because of this new disclosure tax, or it may decrease because newly-informed consumers are reducing their losses. But if a company’s investment in data security increases with consumer losses (say, from greater liability) and if those losses are declining (because of these disclosure information), this suggests that companies could end up spending less on data security. [my emphasis]
In other words, it could be in the interests of companies not to fight (OK, lobby against) breach disclosure laws, like they did in Massachusetts (companies had complained vociferously about the original rules, forcing the state to change the law twice and delay the introduction of the law by over a year).
On the other hand, the above also sounds like it could cycle the other way as well, like in predator-prey cycles.
I'm wondering whether the above would have any bearing on this Verizon observation that claims data breach laws won't help reduce data breaches. Could Verizon be working off the old CMU research?
Related Articles and Sites:http://www.databreaches.net/?p=15608