{"id":28,"date":"2008-07-01T13:57:49","date_gmt":"2008-07-01T11:57:49","guid":{"rendered":"http:\/\/www.ofcourseimright.com\/?p=28"},"modified":"2008-07-01T14:01:10","modified_gmt":"2008-07-01T12:01:10","slug":"no-evidence-that-data-breach-privacy-laws-work","status":"publish","type":"post","link":"https:\/\/ofcourseimright.com\/?p=28","title":{"rendered":"No Evidence That Data Breach Privacy Laws Work"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright alignnone size-medium wp-image-26\" style=\"border: 0pt none; float: right; margin-left: 5px; margin-right: 5px;\" title=\"cybercrime\" src=\"http:\/\/www.ofcourseimright.com\/blog\/wp-content\/uploads\/2008\/06\/cybercrime.jpg\" alt=\"\" width=\"96\" height=\"132\" \/>Have you ever received a notice that your data privacy has been breached?\u00a0 What the heck does that mean anyway?\u00a0 Most of the time what it means is that some piece of information that you wouldn&#8217;t normally disclose to others, like a credit card or your social security number, has been released unintentionally, and perhaps maliciously (e.g., stolen).\u00a0 About five years ago states began passing data breach privacy laws that required authorized possessors of such information to report to victims when a breach occurred.\u00a0 There were basically two goals for such laws:<\/p>\n<ul>\n<li>Provide individuals warning that they may have suffered identity theft, so that they can take some steps to prevent it, like blocking a credit card or monitoring their credit reports; and<\/li>\n<li>Provide a more general deterrent by embarrassing companies into behaving better. &#8220;<em>Sunlight as a disinfectant<\/em>,&#8221; as Justice Brandeis wrote.[1]<\/li>\n<\/ul>\n<p>A <a title=\"Data Theft Paper\" href=\"http:\/\/weis2008.econinfosec.org\/papers\/Romanosky.pdf\">study<\/a> conducted by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti at CMU found that as of yet there can be no correlation found between these laws and identity theft rates.\u00a0 This could be for many reasons why the correlation isn&#8217;t there.\u00a0 First, actual usage of the stolen information seems to be only a small percentage.\u00a0 Second, it may be that just because a light has been shined doesn&#8217;t mean that there is anything the consumer will be capable or willing to do.\u00a0 For instance, suppose you buy something at your-local-favorite-website.com.\u00a0 They use a credit card or billing aggregation service that has its data stolen, and so that service reports to you that your data has been stolen.\u00a0 You might not even understand what that service has to do with you.\u00a0 Even if you do, what are the chances that you would be willing to not use your-local-favorite-website.com again?\u00a0 And if you hear about such a break-in from someone else, would it matter to you?\u00a0 Economists call that last one<em> rational ignorance<\/em>.\u00a0 In other words, hear no evil, see no evil.<\/p>\n<p>Add to all of this that some people have said that there are huge loopholes in some of the laws.\u00a0 At WEIS and elsewhere several not-so-innovative approaches were discussed about how some firms are getting around the need to disclose.<\/p>\n<p>This paper is not the final word on the subject, but clearly work needs to be done to improve these laws so that they have more impact.\u00a0 As longitudinal studies go, this one isn&#8217;t very long.\u00a0 It&#8217;s possible we&#8217;ll see benefits further down the road.<\/p>\n<p>[1]\u00a0 The Brandeis quote could be found in the paper I cited (which is why I used it).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Have you ever received a notice that your data privacy has been breached?\u00a0 What the heck does that mean anyway?\u00a0 Most of the time what it means is that some piece of information that you wouldn&#8217;t normally disclose to others, like a credit card or your social security number, has been released unintentionally, and perhaps &hellip; <a href=\"https:\/\/ofcourseimright.com\/?p=28\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;No Evidence That Data Breach Privacy Laws Work&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,4,9],"tags":[38,37,496],"class_list":["post-28","post","type-post","status-publish","format-standard","hentry","category-internet-consumer-identity","category-politics","category-security","tag-identity","tag-privacy","tag-security"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/28","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=28"}],"version-history":[{"count":0,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/28\/revisions"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=28"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=28"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}