Three Policy Interventions for Reducing Privacy Harms

Thanks so much to Danielle and Concurring Opinions for inviting me to blog. This is an exciting opportunity and I look forward to sharing my thoughts with you. Hopefully you will find these posts interesting.

There are many policy interventions that legislators can impose to reduce harms caused by one party to another. Two that are very often compared are safety regulations (mandated standards) and liability. They lend themselves well to comparison because they’re generally employed on either side of some harmful event (e.g. data breach or toxic spill): ex ante regulations are applied before the harm, and ex post liability is applied after the harm.

A third approach, one that we might consider ‘sitting between’ regulation and liability, is information disclosure (e.g. data breach disclosure (security breach notification) laws). I’d like to take a few paragraphs to compare these alternatives in regards to data breaches and privacy harms.

Three Interventions

 

Ex Ante Safety Regulation
First, safety regulations are minimum operating requirements or licensing restrictions, and are ideally enforced before some company (or product) comes to market and before any harm has occurred. They are also generally enforced by public entities like state or federal agencies, though, a good example in data security is the industry self-regulated Payment Card Industry Data Security Standard (PCI DSS). PCI imposes minimum security protections for IT systems that process payment card transactions. Other examples include drivers (or any other kind of operating) licenses, building safety codes, etc. A relevant characteristic is that sanctions can be imposed from simply violating the regulation, even though no harm has yet occurred. Think of how speeding tickets are issued.

Mandated standards are clearly desirable (even necessary) in order to prevent catastrophic accidents and injuries, such as nuclear disasters, or cyber-incidents affecting critical infrastructure. More specifically, ex ante safety regulations are useful when only the average level of harm is observable, when the true source of the harm is unknown, or when alleged victims can only estimate (not prove) an increased probability of harm. These conditions seem to describe data breaches identity theft fairly well, don’t they?

However, mandated standards face serious criticism because they may only be loosely correlated with the actual harm. For example, some suggest that mandating data encryption will reduce breaches, thereby reducing identity theft. Is the correlation between more encryption and less identity theft strong? Empirical evidence suggests that mandated encryption of consumer health data has resulted in more, not less, privacy breaches (Miller and Tucker, 2010).

Mandated standards may also create perverse consequences. For example, consider a manufacturing company that receives a safety violation. Rather than investing in a safety training program and hiring a formal safety manager, the company simply hires a lawyer to defeat the allegations. Safety regulations, like any compliance regime, also risk driving adherence to the compliance check lists, rather than actually improving a company’s security posture. This can also contribute to the ‘false sense of security’ that many security professionals describe.

In sum, ex ante safety regulations appear, at best, to be necessary in preventing catastrophic accidents, and at worst, only loosely correlated to the actual harmful events: they drive companies to compliance, rather than reduce the harm. Despite these criticisms, however, there is a very strong argument supporting this approach: it’s easier to monitor compliance before an accident (ex ante), than to measure the total harm afterwards (ex post).

 
Ex Post Liability
Ex post liability, of course, holds the injurer accountable for any damage suffered by the victim. As many readers likely know, a liability regime is very useful (or at least, imposes less social cost) when the number of injured parties is low and when the injurer is identifiable and within a court’s jurisdiction. Liability is also preferred when the harm is better known by the victim rather than the State, and when it is clearly quantifiable and legally recognized.

Do any of these sound like they describe data breaches and identity theft very well?

Moreover, as with safety standards, ex post liability serves to optimize the level of care taken (i.e. security precautions) by an injurer, not minimize the harm caused.

The difficulties in recovering losses are clear in data breach lawsuits, as has been discussed on this site before. Indeed, to my knowledge, there has been no judicial ruling favoring a plaintiff. Instead, most often these suits are resolved through motions to dismiss for lack of standing or summary judgment, mainly because plaintiffs can’t demonstrate actual harm. Only sometimes are suits settled out of court, in which cases plaintiffs may only receive 1-2 years of credit monitoring.

What I am keeping an eye on, however, are these set of new state laws that hold merchants strictly liable to banks for data breaches resulting in the replacement of payment cards (HB 1149 in Washintgon state and HF 1758 in Minnesota). Privacy and data security litigators reading this Blog would certainly be more informed (and please comment if you are), but it strikes me that a liability regime would be much more successful in this case because: the injurer is known, there is physical loss (cost of reissuing the payment card), and causation is clear.

 

Information Disclosure
If ex ante regulation is a prevention device, and ex post liability is a recovery device, information disclosure could be described as a correction device. That is, an event has occurred (a data breach or toxic spill) which may — but has not yet – created actual harm (identity theft, illness). This is a wonderful type of intervention because it doesn’t force companies to do anything more than notify potential victims. For this reason, it’s considered a light-handed paternalistic approach.

The idea, of course, is that by notifying people, you empower them to take action and reduce their potential losses. The problem, however, is that rather than empowering people, notification could instead burden them. Perhaps some of you experienced this after reading a breach notification letter: compare your risk of suffering identity theft without taking any action to your risk of suffering identity theft by taking some action. Then consider the incremental effort required to take action. What should you do? Right, I don’t know either. It’s hard. Introduce other behavioral issues like optimism bias (consumers perceiving their chances of suffering identity theft to be very low), rational ignorance (consumers believing the cost of taking precautions outweighing any benefits they may receive), and status quo bias (consumers’ own inertia inhibiting them from anticipating the consequences of identity theft and responding) and things become very complicated.

Disclosure, it seems, becomes most useful for people who: lack information (or are misinformed), will understand the information being provided, who understand the consequences of both acting and not acting, and are willing (and able) to respond to the new information.

I’m curious: what kinds of disclosure notices can you think of, and were they helpful to you? (e.g. cigarette labels, web or flash cookie messages, nutrition labels posted in fast food restaurants).

 
(Alessandro Acquisti and I present a full analysis of these three interventions in the context of data breaches and privacy harms in this paper: http://ssrn.com/abstract=1522605.)

You may also like...

4 Responses

  1. A.J. Sutter says:

    Your focus seems to be on the timing of harm, so you put information disclosure in the middle. But I’m not sure that’s the most fruitful dimension along which to organize these remedies — how about degree of recourse for consumers? Information disclosure alone seems more like a way to exculpate actors from doing bad things as long as they announce they’re doing so — i.e., laissez faire is fine as long as it’s in your face. Consumers then assume the risk. This is certainly in keeping with the current Hayekian vogue of subsuming legal institutions to market ones, but it isn’t necessary salutary. The public needs to have some guidelines as to what’s acceptable and what isn’t; in many cases regulation plus disclosure seems a better combination, at least where consumers are concerned.

    (For the record, I’ve found nutrition labels generally to be helpful, including in franchise juice bars where I too often discovered ostensibly “healthy” drinks with 1,000+ calories, and in convenience stores here in Japan, where an innocuous looking roll will have 500+.)

  2. S T LaRue says:

    Subtexting all of this is the definition of harm. Can you clearly state this? Can you state from whose perspective harm is to be defined by? Currently, it is from the information steward’s perspective and not from the information owner’s? One cannot assume that the two entities are the same or that the information steward/holder will define harm in the best interest of consumer/owner.

  3. Sasha says:

    A J,

    Certainly you’re right that there would be other interventions we could investigate (tax, insurance, etc) and distinguishing them by timing is just one way to evaluate them.

    And yes, you make a good point that disclosure may simply transfer the burden to individuals, which hardly seems fair. And I would agree.

    The advantage of disclosure — especially for a new kind of harm such as identity theft — may be that if consumers care enough, they can take action to punish the firms for their bad behaviors (selling stock, purchasing elsewhere). So yes, indeed, disclosure can burden consumers, but it can also empower them — in this sense by exerting market pressure.

    And indeed, I have yet to see only one of these policies used exclusively.

  4. Sasha says:

    S T,

    I’m not entirely sure if I understand your comment, but let me try to respond.

    If your point is regarding the source of the harm (however we choose to define that), this introduces a delicate, but interesting situation.

    You’re likely familiar with Ronald Coase and his discussion of reciprocating social cost. The canonical example is the baker on the street level who produces noise, disturbing the doctor’s patients in his office on the upper floor.

    We may initially feel that yes, the baker is imposing a cost on the doctor and the baker should therefore be fined or enjoined from operating. However, isn’t the doctor imposing restrictions on the baker, and therefore, should the baker not also be enjoined? After all, it is a function of both parties who cause this externality. It’s no longer clear who is the ‘injurer’ and who is the ‘victim.’

    Some may feel, then, that regarding data breaches and identity theft that obviously the company is the injurer when consumer information is improperly disclosed. However, if the consumer didn’t provide the information in the first place (i.e. if they shopped somewhere else), aren’t they, at least in part, somewhat responsible?

    As I said, it is a delicate, but very interesting point.