Information Policy Institute White Paper Examines Data Breach Notification Legislation

A recent examination of data breach notification conducted by the Information Policy Institute identifies some pitfalls in many proposed data breach notification bills and laws. The study Towards a Rational Personal Data Breach Notification Regime by Michael Turner, President and Senior Scholar of the Political and Economic Research Council, examines trends in identity theft, identity fraud, and data breaches and proposes elements for an effective notification system.

“Very high profile breaches of databases with personal information in recent years make it an issue that the public and lawmakers cannot ignore,” said Michael Turner. “Some legislation is necessary. But in the rush to respond to the real dangers of potential identity theft, we need to make sure that notifications are structured to do more good than harm.” The study finds:

  • Identity theft and fraud have not been growing, and the damage done has been declining
  • Responses by industry are having a positive impact in preventing identity crimes and reducing the damage done.

There are nonetheless good reasons to require consumer notification. Notification can direct a consumer’s attention towards their accounts and credit files, allowing them to monitor activity in their name and minimizing the damage done. How and when consumers are notified, the study goes on to argue, matters a great deal for minimizing damage. If consumers are “over-notified” they will pay less attention and fail to direct their efforts to incidences where monitoring is crucial. The study points out four factors to be considered:

  • How the “trigger” or breach that prompts notification is defined is crucial in avoiding “over-notification” where consumers are inundated with information.
  • Uniformity in the notification requirement matters; a federal and pre-emptive requirement can prevent a fragmented patchwork of rules and “over-notification”.
  • Notification should also take into account legitimate and desirable business activity, by being flexible so that some business models are not excessively hampered.
  • Effective notification requires that the needs of law enforcement and third-party data brokers be considered in order to better address the crime.

Download the study

About PERC and the Information Policy Institute

The Political and Economic Research Council (PERC) is a non-partisan centrist policy institute devoted to research, public education, and outreach on public policy matters. PERC has a broad mandate but emphasizes issues related to information policy, credit access, and the global information economy. The Information Policy Institute in an applied studies center of PERC.