An Economic Analysis of Notification Requirements for Data Security Breaches
19 Pages Posted: 23 Jul 2005
Date Written: July 20, 2005
In this paper, we examine the costs and benefits of laws requiring businesses to notify consumers if their private data is compromised, such as the law in California and other state and federal laws recently passed or proposed. Identity theft and related frauds do not seem to be increasing in recent years, and may be decreasing. A 2004 Survey finds virtually identical results to a survey in 2003, and industry reports find no increase. This may be because credit card companies have increasingly sophisticated detection methods to prevent fraud. In addition, there are strong industry incentives to maintain security. Firms bear almost all of the cost of fraud, and firms suffering such fraud exhibit large stock losses in event studies. The cost to individuals of all sorts of identity theft, weighted by frequency and adjusting for time costs, are about $1000 for actual victims. Most identity theft (at least 70%) is based on data obtained offline, not online. The probability of a victim whose data is compromised actually being victimized is about 2%, so the maximum savings from notice is only $20. For various reasons (including time to receive notice and likely action if notice is received) the actual benefits are more likely to be about $10. The costs of notice include actions such as fraud alerts which consumers may take which are likely to be more costly than the benefits. New credit cards cost between $10 and $20. Even though online commerce is safer than offline commerce, consumers receiving notice may decide to do business offline, thus increasing their risk. Firms may also react strongly to minimize reputation losses; this may have perverse effects, as when it becomes more expensive for new businesses to obtain data about potential customers. Thus, any laws mandating notice should be limited. Finally, state laws that have already passed differ in significant ways, but since this is at least a national market, notice will probably be the same in all states. This means that the most restrictive set of state laws will overall govern in all states. This is an argument for federal preemption in this issue.
Keywords: fraud, identity theft, internet security, preemption
JEL Classification: K00, K14, K29
Suggested Citation: Suggested Citation