Shostack + Friends Blog Archive


Please read more carefully.

A paper by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti to be presented at the upcoming WEIS workshop examines the impact of breach disclosure laws on identity theft. The authors

find no statistically [significant] evidence that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce

The folks at Bank Technology News pick up this ball and run with it, proclaiming [link to no longer works] in a headline:

Study: Data Breach Laws Don’t Reduce ID Theft

This is, quite simply, wrong. Absence of evidence is not evidence of absence. Maybe the data just aren’t good enough (something we at EC have been complaining about — and even trying to fix — for some time).
Since the Bank Technology News article is behind a pay wall, I can’t read it. I hope it is more accurate in conveying Romanosky, et. al.’s recommendations than it is regarding their conclusions.
Those recommendations will be familiar to EC readers, and are worth quoting at length:

Proper research on the effectiveness of data breach disclosure laws is hampered by the lack of sufficient, high quality data. Hoofnagle argues that the current collection of identity theft records come from surveys and anecdotal accounts (Hoofnagle, 2007). He claims that current information is not sufficient and that banks and other organizations should be
required to release identity theft data to the public for proper research. We certainly agree with this view. To the extent that reporting and other biases can be reduced, it will allow researchers to more accurately measure the impact of disclosure laws. Moreover, we believe that the proper collection of identity theft victimization, and consumer and firm loss data will be a valuable tool for researchers, policy makers and consumers. We therefore join others (Samuelson, 2007) in supporting the
following recommendations to policy makers:
• Create a single, federal data breach disclosure law that covers all persons, private organizations, data brokers and state and federal agencies. This single law should reduce conflict between states laws and lower the barrier for compliance.
• Standardize the content of notifications to include only pertinent information (no marketing brochures) that includes actionable information for the consumer (e.g. date of breach, type of personal information lost, and customer support contact information).
• Define an oversight committee to be notified of all breaches. This will create an authoritative source of breach data that can be made available to policy makers, researchers and consumers.

I haven’t given this paper the time it deserves, so I’ll reserve comment. I’ve read it attentively enough to know that contrary to what some in the trade press may think, the jury is definitely still out on whether identity theft is decreased by breach laws.

2 comments on "Please read more carefully."

  • David Brodbeck says:

    Even if it turns out the laws don’t reduce identity theft, it may be that they allow it to be caught sooner by making people aware they’re at higher risk. If that’s the case they still serve a useful function.

  • Dan Weber says:

    Absence of evidence is not evidence of absence.

    Sorry, but no. Absence of evidence is absolutely evidence of absence.
    Now, it’s true that absence of proof is not proof of absence. But merely as evidence? Oh, yeah, it’s definitely that.

Comments are closed.