Evaluating Data Breach Disclosure Laws
I imagine most of you have received one or more letters from companies informing you that they lost your personal information. If so, what, if anything, did you do about it? Did you check your credit history?; close a financial account?; something else?; or nothing at all? If you did act, you likely did it to reduce your risk of suffering identity theft. My research question is: did it work? This is something that I’ve been examining for a number of years now.
In a paper coauthored with Rahul Telang and Alessandro Acquisti at Carnegie Mellon University, we empirically examine the effect of data breach disclosure (security breach notification) laws on identity theft. For a policy researcher, this represents a fantastic opportunity: a clear policy intervention (adoption of laws across different states), a heated controversy regarding the benefits and consequences of the laws that is both practically and academically interesting, good field data, and a powerful empirical analysis methodology to leverage (criminology).
An initial version of the paper used consumer reported identity theft data collected from the FTC from 2002-2006. Using just these data, we found a negative but not statistically significant result. In fact, I was quoted as saying, “we find no evidence that the laws reduce identity theft.” And it was true, we didn’t.
However, we have since augmented that work to include data up to 2009, which allowed us to include more observations, allowed the law to exist for longer, and allowed companies to adapt to them, and perhaps empowered more consumers to take action. We find that the laws did, indeed, reduce identity theft by about 6%. Moreover, we can say that we have a fair amount of confidence in this estimate because the results hold up to many kinds of permutations and transformations — which is very nice to see.
Interpreting the magnitude of that estimate is another issue. Is 6% good? Is it big? That’s an important question, and one to which I wish I had a better answer. If it’s true that the losses from identity theft to companies and consumers are in the tens of billions (say, conservatively, $40B), and that data breaches cause around 20% of all identity theft (a rough estimate based on the limited data we have), then a 6% reduction represents a savings of $480M. Not bad.
So if that’s the benefit, then what’s the cost of the laws? As a researcher, one way to gauge the law’s success (at least, in part) is to compare this estimated benefit with the costs that companies incur because of the laws. There is a cost to compliance, after all — costs that companies would otherwise not have borne but-for the laws. If it’s the case that the costs are greater than this 6% benefit from reduced consumer identity theft, is it still possible that the laws are worthwhile? How would we even go about answering that?
One of the interesting consequences of the data breach disclosure laws has been to raise awareness of breaches and resulting privacy harms. And what happens when people are harmed? They tend to sue. Danielle Citron and Daniel Solove (among others) have written about the difficulties that plaintiffs face when bringing legal actions against companies for data breaches. Nevertheless, the lawsuits do have an effect: they force companies to internalize some portion of consumer loss (fraud, etc.). But I argue that this loss isn’t fixed – it changes based on how much effort consumers take to mitigate losses (i.e. remember those steps you took after receiving that breach notice?). This creates an interesting dependency among the portion of costs borne by the company versus the portion borne by the consumer. But moreover, the laws impose a real cost on the firms, too, in what I’ve described as a ‘disclosure tax.’
The fascinating outcome of all this is that the change in social cost (the net change in company and consumer losses) is very unclear. Social cost may increase because of this new disclosure tax, or it may decrease because newly-informed consumers are reducing their losses. But if a company’s investment in data security increases with consumer losses (say, from greater liability) and if those losses are declining (because of these disclosure information), this suggests that companies could end up spending less on data security.
I find the study of these dynamics very interesting because I think the topics are important (data breaches, disclosure laws and consumer loss) and, as I mentioned, the outcome is quite uncertain. But moreover, this affords us an opportunity to apply analytical modeling in order to better understand how (and why) company and firm incentives change, and the conditions under which overall social costs can decline. I’ll discuss more about the modeling approach in another article.