Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal?

Posted: 23 Jan 2012

See all articles by Sasha Romanosky

Sasha Romanosky

RAND Corporation; Carnegie Mellon University - Heinz College of Information Systems and Public Policy

Alessandro Acquisti

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Richard Sharp

affiliation not provided to SSRN

Date Written: August 15, 2010

Abstract

Data breaches occur when personal consumer information is lost or stolen, and can result in the loss of hundreds or millions of records (e.g., local schools or small retail stores; TJX or Heartland). They can occur from the improper disposal of documents containing personal information, from the loss of a laptop or thumb-drive, or when criminals penetrate corporate networks to steal information. The personal data compromised include individuals’ names, addresses, social security numbers, dates of birth, driver’s licenses, passport numbers, and financial data. This information can then be used to commit crimes, including fraudulent unemployment claims (Goodin 2008), fraudulent tax returns (McMillan 2008), fraudulent loans (Hogan 2008), home equity fraud (Krebs 2008), and payment card fraud. Consumers can also suffer the burden of increased loan interest rates, being denied utility services, civil suits or criminal investigation (Baum 2004). While the consumer costs incurred from credit card fraud may be negligible, out of pocket expenses can reach thousands of dollars (Federal Trade Commission 2007).

As a result of these losses, in recent years U.S. policy makers have enacted laws that require organizations to notify individuals when personally identifiable information has been lost or stolen. As of late 2009, 45 states (as well as other countries around the world) have adopted data breach disclosure, or security breach notification, laws (Maurushat 2009). Aside from two studies (one showing an improvement in firm practices (Samuelson Law 2007), and another finding only a marginal reduction in consumer rates of identity theft (Romanosky et al. 2008)), however, the effects of data breach disclosure laws have yet to be rigorously studied.

One of the main intents of notification laws is to empower consumers to take action and mitigate their loss (Majoras 2005). In addition, the possibility of loss from a breach and resulting costs from notification, it is argued, forces firms to internalize more of the cost of a data breach, thereby inducing them to increase their investment in security measures. This, in turn, is expected to reduce the probability, or magnitude, of future breaches. In short, data breach disclosure “drive[s] performance through transparency and oversight” (Mulligan 2007).

However, critics argue that such laws inflict unnecessary costs for both firms and consumers if indeed firms already bear most of the loss (Lenard and Rubin 2005) or when lost data is recovered before it is even accessed (Majoras 2005). Moreover, when the risk of harm is low, unnecessary notification may desensitize individuals, preventing them from acting when a serious threat does exist (Majoras 2005). Further, consumers may be unable to properly respond to the breach notifications, as the notices may present a substantial cognitive and psychological barrier to tacking action, also causing them to under-react (Romanosky and Acquisti 2009). Alternatively, news media and a burgeoning market of identity theft prevention services may breed panic and confusion, causing consumers to over-react by unnecessarily purchasing such products, increasing their expected costs.

But mandatory disclosure may also affect firms in conflicting ways. On the one hand, disclosure is costly. Firms will incur costs of notification, customer services operations (call centers, customer support), consumer redress (such as identity theft insurance or credit monitoring), legal fees, regulatory fines, and the potential loss of market valuation or lost business (customer churn) (GAO 2007, Ponemon 2010). On the other hand, notifications may also cause consumers to take appropriate action and reduce their harm (either by preventing or mitigating identity theft) - this would lower the firm’s own expected costs, because the amount of consumer harm that the firm internalizes is reduced.

In short, it is unclear whether disclosure would result in a net increase or decrease of firm, consumer, or overall social costs. Using both analytical and numerical modeling, we show that even though firm costs will be higher under disclosure regimes, firms can be induced to increase their investment in care, which may lower social costs. Moreover, disclosure can induce consumers to increase their level of care, thus lowering their total costs. Finally, we find that the change in social costs are typically increasing in disclosure tax (costs imposed on the firm due to disclosure laws) and decreasing in consumer redress (compensation paid by the firm to the consumer). However, when the firm compensates consumers for only a small amount of loss, some disclosure tax may be necessary to optimally reduce social costs.

The next section discusses the literature related to information disclosure in IT security and the economics of (accident) law, which we leverage to frame information disclosure within the context of other common means of reducing externalities. We then define the costs involved in a data breach absent any legal regime, and illustrate how these costs change under mandatory breach disclosure.

Next, we use analytical methods to determine the conditions under which disclosure reduces social costs. Finally, we provide discussion and empirical validation, followed by some model extensions and our conclusion

Suggested Citation

Romanosky, Sasha and Acquisti, Alessandro and Sharp, Richard, Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal? (August 15, 2010). TPRC 2010. Available at SSRN: https://ssrn.com/abstract=1989594

Sasha Romanosky (Contact Author)

RAND Corporation ( email )

1776 Main Street
P.O. Box 2138
Santa Monica, CA 90407-2138
United States

Carnegie Mellon University - Heinz College of Information Systems and Public Policy ( email )

Pittsburgh, PA 15213-3890
United States

Alessandro Acquisti

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

Pittsburgh, PA 15213-3890
United States
412-268-9853 (Phone)
412-268-5339 (Fax)

Richard Sharp

affiliation not provided to SSRN

Register to save articles to
your library

Register

Paper statistics

Abstract Views
2,584
PlumX Metrics