Report Challenges Value of Notifying Consumers of Data Security Breaches

By Eric Goldman

ID Analytics has released a report trying to quantify the harms caused by data security breaches. The report sensibly distinguishes between different types of breaches–misappropriation of name and social security numbers are different, and in some ways more serious, than disclosures of account numbers. The press release claims:

“ID Analytics’ research makes it clear that identity-level breaches pose the greatest potential for harm to businesses and consumers due to fraudsters’ sophisticated methods for profiting from identity information, as compared to account-level breaches. Even so, the calculated fraudulent misuse rate for consumer victims of the analyzed breach with the highest rate of misuse was 0.098 percent—less than one in 1,000 identities.”

There are plenty of reasons to carefully scrutinize the report’s methodology and findings. However, the findings should not be quickly dismissed. Without good data, it would be easy to overestimate the harm caused by the mere disclosure of data. In these situations, there is an almost-irresistible temptation to overreact to the fear of the unknown.

On this front, the report questions the value of mandatory consumer notifications after security breaches. As the press release says, “It’s not helpful for consumers to receive a generic letter in the mail telling them that they may or may not be at risk. We need to help victims of breaches understand when they need to be more vigilant and prevent them from being unnecessarily alarmed.”

This quote is probably unintentionally inflammatory. Its sentiments are 100% right, but it is a lightening rod for criticism because it challenges the bedrock consumer protection view that more information is better. In particular, it shouldn’t be surprising that consumers think they want to know about data security breaches, given the overdriven press hype about the scariness of ID theft.

However, in an era of consumer information overload, we need to be circumspect about the value of throwing more information at consumers–especially if they lack any meaningful ability to act on the information or redress the problem. For example, there’s a non-trivial risk that consumers who receive notification letters get scared, toss the letter, and otherwise do not change their behavior. If so, from my perspective, government-mandated information that doesn’t change consumer behavior is worse than no information at all–it consumes attention, and in this case it causes unnecessary psychological distress, for no tangible benefit. Too bad that, in the mania to pass mandatory breach notification laws, regulators are not exploring these possible consequences more carefully.