3 Reasons for Breach Notification Laws

By: Absolute Team | 2/2/2009

Bruce Schneier has put together an excellent post about why we need Federal breach notification laws (something I stand behind as well). His post opens up with 3 reasons why we should have breach notification laws:

  1. It's polite to tell someone if you lose something of theirs
  2. It provides stats to security researchers about the scope of the issue
  3. It forces companies to improve security

The third point is based upon the premise is that companies who are forced to bear the costs of data breaches (both intangible in loss of trust and tangible in costs of notification) would take extra steps to protect said data. Schneier references a study done by researchers at the Carnegie Mellon University that seeks to determine if data breach disclosure laws have reduced identity theft. The study found that there was only a 2% decrease, on average, in identity theft for states with disclosure laws vs those without disclosure laws.

Bruce Schneier points out that the study can't be relied on for this type of data. Since more data breaches are being reported now vs five years ago, notification laws or not, it's difficult to compare "before and after" data. However, he also brings up a number of other issues: ineffective security improvements, types of data breaches, the reduction of the 'shaming' effect, and more.

A recent study by the Ponemon Institute, which was sponsored by PGP, now puts the cost of a data breach at $202 per record. However Schneier believes that the hard cost to breach notification is not as effective an incentive as it used to be. Yet he argues that the other points still merit the law:

"Disclosure is important, but it's not going to solve identity theft... The reason theft of personal information is common is that the data is valuable once stolen. The way to mitigate the risk of fraud due to impersonation is not to make personal information difficult to steal, it's to make it difficult to use."

Breach notification laws only deal with one side of the identity theft problem. Schneier argues that further laws are necessary to prevent financial institutions from granting credit to someone with minimal personal information.


And if you've ever left your computer on while you stepped away from it, or if you've ever forgotten to log out of secure systems, this should stop you from that habit. Someone like Jeff may be nice enough to teach you a hard lesson - but more than likely, someone will do something far worse.

Image: xenia / morguefile

Financial Services