An Economic Analysis of Notification Requirements for Data Security Breaches

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

An Economic Analysis of Notification Requirements for Data Security Breaches

Full Citation

Thomas M. Lenard and Paul H. Rubin, An Economic Analysis of Notification Requirements for Data Security Breaches, Progress on Point, The Progress & Freedom Foundation (2005). Web

BibTeX

Categorization

Key Words

Credit Card Fraud, Disclosure Policy, Identity Fraud/Theft, Transparency

Synopsis

In a context where an increasing number of lawmakers are considering the adoption of security breach statutes, this paper addresses a number of interrelated issues concerning whether a notification requirement would be in the best interests of consumers and what form it should take:

  • Does the private market provide adequate incentives for firms both to secure their data and to provide notice to consumers in the event of a breach?
  • Is there reason to believe a notification requirement will yield benefits greater than costs?
  • In light of the benefit-cost analysis, how should a notification mandate be structured?
  • If there is a requirement, should it be at the state level or should federal law preempt state laws in this area?

The authors' main conclusions are:

  • The annual costs of identity theft and related frauds are $55 billion, $50 billion of which are borne directly by businesses, including banks, credit card issuers and merchants. Firms also suffer large losses in stock value when security is breached. These factors provide strong incentives for companies to spend money on data security.
  • While it is unclear whether firms have adequate incentives to notify compromised consumers, the issue is an empirical one: do the benefits of notification outweigh the costs?
  • The expected benefits to consumers of a notification requirement are extremely small—on the order of $7.50 to $10 per individual whose data have been compromised. This is because (1) most cases of identity theft do not involve an online security breach; (2) only a very small percentage of individuals compromised by security breaches—perhaps 2 percent—actually become victims of a fraud; (3) most of these are victims of fraudulent charges on their existing credit accounts, for which they have very limited liability, rather than victims of true identity theft; and, (4) even a well-designed notification program will only eliminate about 10-20 percent of the expected costs.
  • Because a notification mandate is dubious on benefit-cost grounds, it should be targeted carefully. Firms should be able to determine which customers are most at risk and tailor notice to those individuals, perhaps in cooperation with the FTC.
  • Encrypted data should be exempt from notice, because it is less likely to be used for fraudulent purposes.
  • Federal preemption of state notification laws will reduce compliance costs and improve the benefit-cost balance. A true federalist approach is not possible with markets and firms that are national, and even international, in scope. Firms will tend to comply with a single set of rules. In the absence of a preemptive federal statute, they will comply with the most stringent set of state regulations, which will in effect “preempt” other state regulations.

Additional Notes and Highlights

Outline:

 I. Introduction and Summary
 II. The Cost of Security Breaches
 III. Market Responses
   A. Security
   B. Notification
 IV. Benefits of Notification
   A. Estimate 1
   B. Estimate 2
   C. Reduced Benefits Due to Delay
   D. Consumer Response
 V.  Costs of Notification
   A. Direct Notification Costs
   B. Costs of Actions Taken by Consumers
   C. Information Costs
 VI. Are the Benefits of Notification Greater Than the Costs?
 VII. Optimal Scope of Notice
 VIII. The Issue of Preemption
   A. Benefits of Federalism
   B. Benefits of Preemption
     1. Inconsistencies in State Statutes
     2. The Effect of the Inconsistencies
   The Benefits of Federalism vs. the Benefits of Preemption
 IX. Conclusions