What the World Should Learn from US Privacy Laws
The current issue of our email newsletter “Inside 1to1: Privacy” includes a thought-provoking piece on the problems and successes of the United States’ privacy laws, entitled “Open Letter to the World: Don’t Copy Our Security-Breach Notification Model.” Published in conjunction with the International Association of Privacy Professionals, or IAPP, Inside 1to1: Privacy is a free monthly e-mail newsletter that reviews privacy, trust and security topics.
I’m calling everyone’s attention to this current issue because it seems to have generated a great deal of interest. I’ve personally received more emails from readers because of this single article than any other since launching the newsletter. If you don't already subscribe to this newsletter, you may want to at least take a look at this informative and provocative article.
I think Beth's points are very important and should be considered by anyone trying to define an appropriate "harm threshhold" for breach notification.
Joanne McNabb, CIPP/G
Chief, California Office of Privacy Protection
From Beth Givens, Director, Privacy Rights Clearinghouse:
Hello to Don Peppers and Martha Rogers,
I enjoyed reading your Letter to the World. I'm glad to see such issues being discussed and debated.
And in that spirit ...
I take issue with item number one in your Open Letter to the World
regarding security breach notice requirements (reproduced in the next paragraph).
• "Define a harm threshold for notification. The most prominent shortcoming of the American system is a tendency toward
overnotification of supposedly affected individuals.
'Overnotification' occurs when organizations feel obliged to inform
customers and employees of incidents -- such as misplaced backup tapes -- that pose no material risk of harm to them. As noted in the Samuelson study, overnotification can result in unduly alarmed
people as well as their disregard of subsequent notices. One solution to these unintended consequences is to define specific criteria when a data exposure risks harm to individuals, such as
when there is positive evidence that an unauthorized person targeted their information for appropriation."
Here's the problem: In most instances, breached entities do not know if the data has been or will be used for malicious purposes, such as to commit identity theft. Survey data compiled by Javelin Strategy show that only about 40% of identity theft victims know how it happened to them, and only about 30% of victims know who did it.
Even if, as an example, I were to learn today that my SSN were exposed in a data breach, and then in, say, one month I were to
learn that I'm a victim of identity theft, specifically new account
fraud, I still would not be able to connect the dots with assurance
and point to THAT particular data breach as the reason I'm now an ID
theft victim. There are too many situations in which my SSN is exposed for me to be able to determine the cause of my identity theft situation.
It's impossible to read the mind of the thief who steals a laptop
containing sensitive PII from the trunk of someone's car. Did the
thief want the laptop for the street value of the laptop? or for the
value of the data? Further, what if the thief sells the laptop on the blackmarket simply to make a few quick and easy bucks. The crook who purchased the stolen laptop might turn around and sell the PII to identity thieves based in Romania.
In short, it is impossible to know the path that the compromised data might take.
###
In doing an extensive literature review for our first study of security breach notification laws, (online at http://www.law.berkeley.edu/samuelsonclinic/privacy/217 ), we did not find empirical evidence that overnotification is a problem. As soon as these laws were passed, FTC Chair Majoras and others were painting the overnotification issue, but there was no evidence of it, and even if there is overnotification, one might respond cogently with two arguments:
1) Just because some consumers ignore notices, that does not justify eliminating notification rights of others. Legal academics have performed rich studies of why individuals exercise or abrogate rights; the landscape is complex, and we probably do not understand yet why some act and other don't. There is some evidence that some inaction is caused by conditions placed upon remedial measures (such as having to provide the SSN for credit monitoring, etc.). As Schwartz and Janger explained in their article discussing GLBA, companies have economic incentives to create subtle and not so subtle barriers to the exercise of privacy rights (see http://papers.ssrn.com/sol3/papers.cfm?abstract_id=319144 )
2) In reviewing the work of Westin, Gandy, and Turow, it's pretty clear that knowledge of privacy problems drives higher privacy concern. Generally speaking, privacy pragmatists and the unconcerned are far more uninformed of privacy rules and norms than the high-concern fundamentalists. So, to the extent that experience guides privacy concern, notification may serve to raise awareness and reduce the gap between individuals' belief of what privacy law does, and what it actually does (see http://works.bepress.com/joseph_turow/10/ ).