Policy Papers

An Economic Analysis of Notification Requirements for Data Security Breaches

by and

This paper addresses a number of interrelated issues concerning whether a notification requirement would be in the best interests of consumers and what form it should take.
Our major conclusions are:
The annual costs of identity theft and related frauds are $55 billion, $50 billion of which are borne directly by businesses, including banks, credit card issuers and merchants. Firms also suffer large losses in stock value when security is breached. These factors provide strong incentives for companies to spend money on data security.
While it is unclear whether firms have adequate incentives to notify compromised consumers, the issue is an empirical one: do the benefits of notification outweigh the costs?
The expected benefits to consumers of a notification requirement are extremely small—on the order of $7.50 to $10 per individual whose data have been compromised. This is because (1) most cases of identity theft do not involve an online security breach; (2) only a very small percentage of individuals compromised by security breaches—perhaps 2 percent—actually become victims of a fraud; (3) most of these are victims of fraudulent charges on their existing credit accounts, for which they have very limited liability, rather than victims of true identity theft; and, (4) even a well-designed notification program will only eliminate about 10-20 percent of the expected costs.
Because a notification mandate is dubious on benefit-cost grounds, it should be targeted carefully. Firms should be able to determine which customers are most at risk and tailor notice to those individuals , perhaps in cooperation with the FTC. Encrypted data should be exempt from notice, because it is less likely to be used for fraudulent purposes.
Federal preemption of state notification laws will reduce compliance costs and improve the benefit-cost balance. A true federalist approach is not possible with markets and firms that are national, and even international, in scope. Firms will tend to comply with a single set of rules. In the absence of a preemptive federal statute, they will comply with the most stringent set of state regulations , which will in effect “preempt” other state regulations.