Do Data Breach Disclosure Laws Reduce Identity Theft: Difference between revisions

From Cybersecurity Wiki
Jump to navigation Jump to search
No edit summary
 
(11 intermediate revisions by one other user not shown)
Line 7: Line 7:
Sasha Romanosky, Rahul Telang, Alessandro Acquisti, ''Do Data Breach Disclosure Laws Reduce Identity Theft ? '' (2007). (Workshop on the Economics of Information Security at Dartmouth College, Jun. 26, 2008). [http://weis2008.econinfosec.org/papers/Romanosky.pdf ''Web'']  
Sasha Romanosky, Rahul Telang, Alessandro Acquisti, ''Do Data Breach Disclosure Laws Reduce Identity Theft ? '' (2007). (Workshop on the Economics of Information Security at Dartmouth College, Jun. 26, 2008). [http://weis2008.econinfosec.org/papers/Romanosky.pdf ''Web'']  


[http://cyber.law.harvard.edu/cybersecurity/?title=Special:Bibliography&action=viewsource&startkey=Romanosky_et_al:2008&f=wikibiblio.bib''BibTeX'']
[http://cyber.law.harvard.edu/cybersecurity/Special:Bibliography?f=wikibiblio.bib&title=Special%3ABibliography&view=detailed&action=&keyword=Romanosky_et_al%3A2008''BibTeX'']


==Categorization==
==Categorization==


Issues: [[Information Sharing/Disclosure]]
*Issues: [[Incentives]]; [[Information Sharing/Disclosure]]
*Approaches: [[Regulation/Liability]]


[[Data Breach]]
==Key Words==


[[Information Sharing/Disclosure]]
[[Keyword_Index_and_Glossary_of_Core_Ideas#Credit_Card_Fraud | Credit Card Fraud]], [[Keyword_Index_and_Glossary_of_Core_Ideas#Disclosure_Policy | Disclosure Policy]], [[Keyword_Index_and_Glossary_of_Core_Ideas#Identity_Fraud.2FTheft | Identity Fraud/Theft]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Transparency | Transparency]]
 
==Synopsis==


[[Identity Management]]
===The Purpose of Data Breach Leglisation===
The paper starts by outlining that identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. According to the authors, the rationale behind such laws is that they will create incentives for firms to internalize more of the cost of a breach through notification
letters, customer support call centers, and mitigating actions such as marketing campaigns and free credit monitoring.


==Key Words==  
===Incidence of Laws on Data Breaches===


[[information security]], [[disclosure policy]], [[identity theft]], [[security breach notification]]
While the laws are expected to reduce identity theft, their full effects have yet to be empirically measured. The authors use panel from the US Federal Trade Commission with state and time fixed effects regression to estimate the impact of data breach disclosure laws on identity theft from 2002 to 2007. The authors find a small effect of law on the incidences of identity thefts (it reduces their rate by just under 2%, on average).


==Synopsis==
===Other Effects of Data Breach Legislation===
While the incidence of laws on data breaches is minimal, reducing identity theft is only one means by which these laws can be evaluated: the authors also appreciate that they may have other benefits such as reducing the average victim's losses or improving a firm's security and operational practices.  Also, the small incidence does not necessarily suggests that the laws are ineffective for there are other dimensions to the effects of law. For example, the laws naturally lead to more disclosures, and it is also conceivable that the laws may not reduce identity thefts but may decrease the economic losses associated with these thefts, or may reduce of the severity of losses from identity thefts. But overall, data are inconclusive.


Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce identity theft, their full effects have yet to be empirically measured. We use panel from the US Federal Trade Commission with state and time fixed effects regression to estimate the impact of data breach disclosure laws on identity theft from 2002 to 2007. We find that adoption of data breach disclosure laws have a marginal effect on the incidences of identity thefts and reduce the rate by just under 2%, on average. While this effect is marginal, reducing identity theft is only one means by which these laws can be evaluated: we appreciate that they may have other benefits such as reducing the average victim's losses or improving a firm's security and operational practices.  
===Policy and Research Implications===
According to the authors, the effectiveness of data breach disclosure laws relies on actions taken by both firms and consumers. Certainly firms must improve their controls, but regardless, once notified consumers must themselves take responsibility to reduce their own risk of identity theft – something which only a minority appears to be doing. It may be that only with time we see more firms internalize the costs, more consumers respond to the risks, and the victimization rates decline.
The authors also underline the need for better data collection, measurements and more studies that can inform policy makers, consumer groups and industry participations regarding the role of regulations in this domain. Otherwise, they say, policy decisions will be made by partisan debates, lobbying efforts and unmeasured and conflicting outcomes.


==Additional Notes and Highlights==
==Additional Notes and Highlights==
Expertise Required: Economics - Moderate


[http://www.networkworld.com/newsletters/sec/2008/072808sec1.html/ Paper review from networkworld.com: "Do data-breach-disclosure laws reduce identity theft? Research attempts to answer the question"]
[http://www.networkworld.com/newsletters/sec/2008/072808sec1.html/ Paper review from networkworld.com: "Do data-breach-disclosure laws reduce identity theft? Research attempts to answer the question"]


[http://www.consumeraffairs.com/news04/2008/06/data_breaches.html/ Paper review from consumeraffairs.com: "Data Breach Disclosure Laws Don't Slow Down Identity Theft; Results of recent legislation called 'statistically insignificant'"]
[http://www.consumeraffairs.com/news04/2008/06/data_breaches.html/ Paper review from consumeraffairs.com: "Data Breach Disclosure Laws Don't Slow Down Identity Theft; Results of recent legislation called 'statistically insignificant'"]
Outline:
  1. INTRODUCTION
    1.1 Motivation for data breach disclosure laws
    1.2 Arguments against data breach disclosure laws
  2. RELATED WORK
    2.1 Information Economics and Disclosure Policy
    2.2 Environmental Disclosure and Deterrent Policies
    2.3 Criminal Deterrence Policies
  3. DATA BREACHES AND BREACH LEGISLATION
    3.1 Data Breaches
    3.2 US Data Breach Disclosure Legislation
    3.3 Conceptual Model
  4. IDENTITY THEFT DATA
    4.1 Data Sources and Summary Statistics
    4.2 Causes of Identity Theft
  5. DATA ANALYSIS
    5.1 Effect of Law on Identity Theft: Basic Model
    5.2 Extended Model
  6. RESULTS
    6.1 Effect of Law on Identity Theft
    6.2 Awareness Bias
    6.3 Endogeneity of the law
    6.4 Sampling bias
  7. DISCUSSION
  8. POLICY IMPLICATIONS
    8.1 Consumer losses and incentives
    8.2 Firm losses and incentives
    8.3 Recommendations
  9. CONCLUSION

Latest revision as of 15:36, 19 August 2010

Full Title of Reference

Do Data Breach Disclosure Laws Reduce Identity Theft?

Full Citation

Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Do Data Breach Disclosure Laws Reduce Identity Theft ? (2007). (Workshop on the Economics of Information Security at Dartmouth College, Jun. 26, 2008). Web

BibTeX

Categorization

Key Words

Credit Card Fraud, Disclosure Policy, Identity Fraud/Theft, Transparency

Synopsis

The Purpose of Data Breach Leglisation

The paper starts by outlining that identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. According to the authors, the rationale behind such laws is that they will create incentives for firms to internalize more of the cost of a breach through notification letters, customer support call centers, and mitigating actions such as marketing campaigns and free credit monitoring.

Incidence of Laws on Data Breaches

While the laws are expected to reduce identity theft, their full effects have yet to be empirically measured. The authors use panel from the US Federal Trade Commission with state and time fixed effects regression to estimate the impact of data breach disclosure laws on identity theft from 2002 to 2007. The authors find a small effect of law on the incidences of identity thefts (it reduces their rate by just under 2%, on average).

Other Effects of Data Breach Legislation

While the incidence of laws on data breaches is minimal, reducing identity theft is only one means by which these laws can be evaluated: the authors also appreciate that they may have other benefits such as reducing the average victim's losses or improving a firm's security and operational practices. Also, the small incidence does not necessarily suggests that the laws are ineffective for there are other dimensions to the effects of law. For example, the laws naturally lead to more disclosures, and it is also conceivable that the laws may not reduce identity thefts but may decrease the economic losses associated with these thefts, or may reduce of the severity of losses from identity thefts. But overall, data are inconclusive.

Policy and Research Implications

According to the authors, the effectiveness of data breach disclosure laws relies on actions taken by both firms and consumers. Certainly firms must improve their controls, but regardless, once notified consumers must themselves take responsibility to reduce their own risk of identity theft – something which only a minority appears to be doing. It may be that only with time we see more firms internalize the costs, more consumers respond to the risks, and the victimization rates decline. The authors also underline the need for better data collection, measurements and more studies that can inform policy makers, consumer groups and industry participations regarding the role of regulations in this domain. Otherwise, they say, policy decisions will be made by partisan debates, lobbying efforts and unmeasured and conflicting outcomes.

Additional Notes and Highlights

Expertise Required: Economics - Moderate

Paper review from networkworld.com: "Do data-breach-disclosure laws reduce identity theft? Research attempts to answer the question"

Paper review from consumeraffairs.com: "Data Breach Disclosure Laws Don't Slow Down Identity Theft; Results of recent legislation called 'statistically insignificant'"

Outline:

 1. INTRODUCTION
   1.1 Motivation for data breach disclosure laws
   1.2 Arguments against data breach disclosure laws
 2. RELATED WORK
   2.1 Information Economics and Disclosure Policy
   2.2 Environmental Disclosure and Deterrent Policies
   2.3 Criminal Deterrence Policies
 3. DATA BREACHES AND BREACH LEGISLATION
   3.1 Data Breaches
   3.2 US Data Breach Disclosure Legislation
   3.3 Conceptual Model
 4. IDENTITY THEFT DATA
   4.1 Data Sources and Summary Statistics
   4.2 Causes of Identity Theft
 5. DATA ANALYSIS
   5.1 Effect of Law on Identity Theft: Basic Model
   5.2 Extended Model
 6. RESULTS
   6.1 Effect of Law on Identity Theft
   6.2 Awareness Bias
   6.3 Endogeneity of the law
   6.4 Sampling bias
 7. DISCUSSION
 8. POLICY IMPLICATIONS
   8.1 Consumer losses and incentives
   8.2 Firm losses and incentives
   8.3 Recommendations
 9. CONCLUSION