Online breaches of sensitive customer data such as credit card numbers have become commonplace in the digital age. At times they have been massive in scale — for example, a 2011 breach in Sony’s video game online network led to the theft of names, addresses and credit card data from 77 million accounts. To encourage better security practices, states have enacted laws requiring firms to notify customers when data have been compromised. Advocates of such laws argue that they will inspire tighter security, but this hypothesis has yet to be tested.

As noted in a 2012 Congressional Research Service report, between 2005 and early 2012 more than 2,676 data breaches were disclosed to the public “involving 535 million records containing sensitive personal information,” according to data from the Privacy Rights Clearinghouse. The report also notes that “as of January 2012, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws requiring notification of security breaches involving personal information.”

A 2011 study from Carnegie Mellon University published in the Journal of Policy Analysis and Management, “Do Data Breach Disclosure Laws Reduce Identity Theft?” uses data from the U.S. Federal Trade Commission to estimate the impact of data breach disclosure laws on identity theft from 2002 to 2009. Prior research determined that the average dollar loss associated with theft of a consumer’s data was $6,383; the study uses this figure as a baseline for estimates of the value of disclosure laws.

The study’s findings include:

• Data breach disclosure laws have reduced identity thefts by an average of about 6.1%. Given that the mean number of identity theft reports over 2002 to 2009 totaled 238,791, disclosure laws are estimated to have resulted in a $93 million reduction in the total cost of identity theft.
• Data breaches do not happen less frequently in states that have stricter laws, and the researchers “do not find evidence of the laws gaining strength with time.”
• The study does find some evidence that the laws were effective in the short term, from 6 to 12 months. “[This] could be explained by a temporary heightened awareness by consumers of the notifications, causing them to briefly take more precautions. Perhaps, then, as more notices are sent, and without noticeable signals of the effect of their actions, consumers would become desensitized and ignore further notices.”

The laws’ limited effectiveness may be due to factors such as consumer complacency, a lack of court receptivity to consumer lawsuits and limited business incentives, the researchers conclude. “Managers of firms may also believe that the firm’s probability of suffering a breach is small enough that they may still not fully appreciate (and therefore internalize) the associated penalties. Or they may estimate the net direct and indirect costs of breaches to be quite small, compared with the investments necessary to significantly decrease the probability of those breaches.”

Tags: technology, crime, privacy