Congress Mulls Mandatory Security Breach Disclosure Law

Congress is discussing a national mandatory security breach notification law. In a minor surprise, at least one legislator, Rep. Oxley, is asking the right questions. He observes: “consumers may begin to ignore those notices as just that many more pieces of unsolicited junk mail.” That is absolutely correct! He also observed that only a small percentage of data breaches result in fraudulent activity. Also correct. He didn’t pick on the other major deficiency of the proposed laws, which is that the notifications are scary but consumers are powerless to do anything proactively to protect their interests. (Consumers can be vigilant in monitoring their financial activity, but they need to do this anyways). So the notifications stress out consumers but don’t offer any solutions. Thus, the question is: what value does mandatory notification have? And what costs does it impose?

Interestingly, a number of companies are lining up in favor of a mandatory disclosure law, including ChoicePoint and Bank of America, even though they could simply pledge voluntarily to make disclosures as appropriate. I assume these companies are in favor of a national law to preempt a state-level patchwork quilt of laws, or to forestall even more draconian laws.