Do Data Breach Disclosure Laws Reduce Identity Theft?
Online breaches of sensitive customer data such as credit card numbers have become commonplace in the digital age. At times they have been massive in scale — for example, a 2011 breach in Sony’s video game online network led to the theft of names, addresses and credit card data from 77 million accounts. To encourage better security practices, states have enacted laws requiring firms to notify customers when data have been compromised. Advocates of such laws argue that they will inspire tighter security, but this hypothesis has yet to be tested.
As noted in a 2012 Congressional Research Service report (PDF), between 2005 and early 2012 more than 2,676 data breaches were disclosed to the public “involving 535 million records containing sensitive personal information,” according to data from the Privacy Rights Clearinghouse. The report also notes that “as of January 2012, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws requiring notification of security breaches involving personal information.”
A 2011 study from Carnegie Mellon University published in the Journal of Policy Analysis and Management, “Do Data Breach Disclosure Laws Reduce Identity Theft?” uses data from the U.S. Federal Trade Commission to estimate the impact of data breach disclosure laws on identity theft from 2002 to 2009. Prior research determined that the average dollar loss associated with theft of a consumer’s data was $6,383; the study uses this figure as a baseline for estimates of the value of disclosure laws.
The study’s findings include:
- Data breach disclosure laws have reduced identity thefts by an average of about 6.1%. Given that the mean number of identity theft reports over 2002 to 2009 totaled 238,791, disclosure laws are estimated to have resulted in a $93 million reduction in the total cost of identity theft.
- Data breaches do not happen less frequently in states that have stricter laws, and the researchers “do not find evidence of the laws gaining strength with time.”
- The study does find some evidence that the laws were effective in the short term, from 6 to 12 months. “[This] could be explained by a temporary heightened awareness by consumers of the notifications, causing them to briefly take more precautions. Perhaps, then, as more notices are sent, and without noticeable signals of the effect of their actions, consumers would become desensitized and ignore further notices.”
The laws’ limited effectiveness may be due to factors such as consumer complacency, a lack of court receptivity to consumer lawsuits and limited business incentives, the researchers conclude. “Managers of firms may also believe that the firm’s probability of suffering a breach is small enough that they may still not fully appreciate (and therefore internalize) the associated penalties. Or they may estimate the net direct and indirect costs of breaches to be quite small, compared with the investments necessary to significantly decrease the probability of those breaches.”
Tags: technology, crime, privacy
Note to instructor: The suggested lessons are designed for flexibility. The goal is to have students understand how to convey the study’s findings accurately and to consider techniques for making the subject matter broadly accessible. In addition, it is well worth discussing how the study was put together and the intellectual context from which it comes. There is also a related news article in the study analysis section.
Newswriting and digital reporting assignments
- Write a lead, headline or nut graph based on the study.
- Spend 60 minutes exploring the issue by accessing sources of information other than the study. Write a lead (or headline or nut graph) based on the study but informed by the new information. Does the new information significantly change what one would write based on the study alone?
- Compose two Twitter messages of 140 characters or fewer accurately conveying the study’s findings to a general audience. Make sure to use appropriate hashtags.
- Choose several key quotations from the study and show how they would be set up and used in a brief blog post.
- Map out the structure for a 60-second video segment about the study. What combination of study findings and visual aids could be used?
- Find pictures and graphics that might run with a story about the study. If appropriate, also find two related videos to embed in an online posting. Be sure to evaluate the credibility and appropriateness of any materials you would aggregate and repurpose.
Class discussion questions
- What is the study’s most important finding?
- Would members of the public intuitively understand the study’s findings? If not, what would be the most effective way to relate them?
- What kinds of knowledgeable sources you would interview to report the study in context?
- How could the study be “localized” and shown to have community implications?
- How might the study be explained through the stories of representative individuals? What kinds of people might a reporter feature to make such a story about the study come alive?
- What sorts of stories might be generated out of secondary information or ideas discussed in the study?
Read the study titled “Do Data Breach Disclosure Laws Reduce Identity Theft?”
- What are the study's key technical term(s)? Which ones need to be put into language a lay audience can understand?
- Do the study’s authors put the research into context and show how they are advancing the state of knowledge about the subject? If so, what did the previous research indicate?
- What is the study’s research method? If there are statistical results, how did the scholars arrive at them?
- Evaluate the study's limitations. (For example, are there weaknesses in the study's data or research design?)
- How could the findings be misreported or misinterpreted by a reporter? In other words, what are the difficulties in conveying the data accurately? Give an example of a faulty headline or story lead.
Read the issue-related New York Times opinion article titled "The Cybercrime Wave That Wasn't."
- What key insights from the article and the study should reporters be aware of as they cover issues of identity theft?