Regulating Data Brokers

The recent hacks into ChoicePoint’s and Lexis’ personal information databases has led to calls for further regulation of data brokers. While I don’t want to minimize the consequences of these hacks, including the severe consequences of identity theft, limiting data sales is not the way to solve the problem. I made this point in an essay involving data mining, where I take the position that the problem occurs with bad data uses, not the underlying sales. Therefore, regulating sales limits some socially-beneficial activities that can derive from information dissemination, and merely attacks a proxy for the harm, rather than the harm itself.

I also wonder if some of the angst can be attributed to the new laws mandating consumer notices in the event of hacks into personal databases (such as California’s). While I understand the spirit of the law, I also question if the notifications are helpful or harmful. I’ve never received one of those notices, but if I did, I’m not sure what I’d do with it. Should I cancel my credit cards? Should I order a credit-watching service? Should I just live in fear of some potential ominous outcome? I think we would all be tempted to react emotionally to a letter of this sort given our difficulties quantifying uncertain risk.