An Economic Analysis of Notification Requirements for Data Security Breaches

An Economic Analysis of Notification Requirements for Data Security Breaches

This paper addresses a number of interrelated issues concerning whether a notification requirement would be in the best interests of consumers and what form it should take.
Our major conclusions are:
The annual costs of identity theft and related frauds are $55 billion, $50 billion of which are borne directly by businesses, including banks, credit card issuers and merchants. Firms also suffer large losses in stock value when security is breached. These factors provide strong incentives for companies to spend money on data security.
While it is unclear whether firms have adequate incentives to notify compromised consumers, the issue is an empirical one: do the benefits of notification outweigh the costs?
The expected benefits to consumers of a notification requirement are extremely small—on the order of $7.50 to $10 per individual whose data have been compromised. This is because (1) most cases of identity theft do not involve an online security breach; (2) only a very small percentage of individuals compromised by security breaches—perhaps 2 percent—actually become victims of a fraud; (3) most of these are victims of fraudulent charges on their existing credit accounts, for which they have very limited liability, rather than victims of true identity theft; and, (4) even a well-designed notification program will only eliminate about 10-20 percent of the expected costs.
Because a notification mandate is dubious on benefit-cost grounds, it should be targeted carefully. Firms should be able to determine which customers are most at risk and tailor notice to those individuals , perhaps in cooperation with the FTC. Encrypted data should be exempt from notice, because it is less likely to be used for fraudulent purposes.
Federal preemption of state notification laws will reduce compliance costs and improve the benefit-cost balance. A true federalist approach is not possible with markets and firms that are national, and even international, in scope. Firms will tend to comply with a single set of rules. In the absence of a preemptive federal statute, they will comply with the most stringent set of state regulations , which will in effect “preempt” other state regulations.

Attachments
+ posts

Thomas Lenard is Senior Fellow and President Emeritus at the Technology Policy Institute. Lenard is the author or coauthor of numerous books and articles on telecommunications, electricity, antitrust, privacy, e-commerce and other regulatory issues. His publications include Net Neutrality or Net Neutering: Should Broadband Internet Services Be Regulated?; The Digital Economy Fact Book; Privacy and the Commercial Use of Personal Information; Competition, Innovation and the Microsoft Monopoly: Antitrust in the Digital Marketplace; and Deregulating Electricity: The Federal Role.

Before joining the Technology Policy Institute, Lenard was acting president, senior vice president for research and senior fellow at The Progress & Freedom Foundation. He has served in senior economics positions at the Office of Management and Budget, the Federal Trade Commission and the Council on Wage and Price Stability, and was a member of the economics faculty at the University of California, Davis. He is a past president and chairman of the board of the National Economists Club.

Lenard is a graduate of the University of Wisconsin and holds a PhD in economics from Brown University. He can be reached at [email protected]

Paul Rubin is senior fellow at the Technology Policy Institute. Dr. Rubin has written or edited seven books, and published over one hundred articles and chapters on economics, law, and regulation in journals including the American Economic Review, the Journal of Political Economy, the Quarterly Journal of Economics, the Journal of Legal Studies, the Journal of Law and Economics, and the Yale Journal on Regulation. He has contributed to the Wall Street Journal, the New York Times and other newspapers and magazines.

Dr. Rubin is also Dobbs Professor of Economics and Law at Emory University in Atlanta and editor in chief of Managerial and Decision Economics. He previously served as senior staff economist at President Reagan's Council of Economic Advisers, chief economist at the U.S. Consumer Product Safety Commission, director of advertising economics at the Federal Trade Commission, and vice-president of Glassman-Oliver Economic Consultants, Inc., a litigation consulting firm in Washington. He has taught economics at the University of Georgia, City University of New York, VPI, and George Washington University Law School. Dr. Rubin is a graduate of the University of Cincinnati and holds a PhD from Purdue University.

Share This Article

Privacy and Security

View More Publications by

Recommended Reads

Related Articles

Sign Up for Updates

This field is for validation purposes and should be left unchanged.