I imagine most of you have received one or more letters from companies
informing you that they lost your personal information. If so, what,
if anything, did you do about it? Did you check your credit history?;
close a financial account?; something else?; or nothing at all? If you
did act, you likely did it to reduce your risk of suffering identity
theft. My research question is: did it work? This is something that
I’ve been examining for a number of years now.
In a paper coauthored with Rahul Telang and Alessandro Acquisti at
Carnegie Mellon University, we empirically examine the effect of data
breach disclosure (security breach notification) laws on identity
theft. For a policy researcher, this represents a fantastic
opportunity: a clear policy intervention (adoption of laws across
different states), a heated controversy regarding the benefits and
consequences of the laws that is both practically and academically
interesting, good field data, and a powerful empirical analysis
methodology to leverage (criminology).
An initial version of the paper used consumer reported identity theft
data collected from the FTC from 2002-2006. Using just these data, we
found a negative but not statistically significant result. In fact, I
was quoted as saying, “we find no evidence that the laws reduce
identity theft.” And it was true, we didn’t.
However, we have since augmented that work to include data up to 2009,
which allowed us to include more observations, allowed the law to
exist for longer, and allowed companies to adapt to them, and perhaps
empowered more consumers to take action. We find that the laws did,
indeed, reduce identity theft by about 6%. Moreover, we can say that
we have a fair amount of confidence in this estimate because the
results hold up to many kinds of permutations and transformations —
which is very nice to see.
Interpreting the magnitude of that estimate is another issue. Is 6%
good? Is it big? That’s an important question, and one to which I wish
I had a better answer. If it’s true that the losses from identity
theft to companies and consumers are in the tens of billions (say,
conservatively, $40B), and that data breaches cause around 20% of all
identity theft (a rough estimate based on the limited data we have),
then a 6% reduction represents a savings of $480M. Not bad.
So if that’s the benefit, then what’s the cost of the laws? As a
researcher, one way to gauge the law’s success (at least, in part) is
to compare this estimated benefit with the costs that companies incur
because of the laws. There is a cost to compliance, after all — costs
that companies would otherwise not have borne but-for the laws. If
it’s the case that the costs are greater than this 6% benefit from
reduced consumer identity theft, is it still possible that the laws
are worthwhile? How would we even go about answering that?
One of the interesting consequences of the data breach disclosure laws
has been to raise awareness of breaches and resulting privacy harms.
And what happens when people are harmed? They tend to sue. Danielle
Citron and Daniel Solove (among others) have written about the
difficulties that plaintiffs face when bringing legal actions against
companies for data breaches. Nevertheless, the lawsuits do have an
effect: they force companies to internalize some portion of consumer
loss (fraud, etc.). But I argue that this loss isn’t fixed – it
changes based on how much effort consumers take to mitigate losses
(i.e. remember those steps you took after receiving that breach
notice?). This creates an interesting dependency among the portion of
costs borne by the company versus the portion borne by the consumer.
But moreover, the laws impose a real cost on the firms, too, in what
I’ve described as a ‘disclosure tax.’
The fascinating outcome of all this is that the change in social cost
(the net change in company and consumer losses) is very unclear.
Social cost may increase because of this new disclosure tax, or it may
decrease because newly-informed consumers are reducing their losses.
But if a company’s investment in data security increases with consumer
losses (say, from greater liability) and if those losses are declining
(because of these disclosure information), this suggests that
companies could end up spending less on data security.
I find the study of these dynamics very interesting because I think
the topics are important (data breaches, disclosure laws and consumer
loss) and, as I mentioned, the outcome is quite uncertain. But
moreover, this affords us an opportunity to apply analytical modeling
in order to better understand how (and why) company and firm
incentives change, and the conditions under which overall social costs
can decline. I’ll discuss more about the modeling approach in another
article.
No comments:
Post a Comment