Do Data Breach Disclosure Laws Reduce Identity Theft?

The answer is: apparently not.

Three Carnegie Mellon University authors have written a paper entitled Do Data Breach Disclosure Laws Reduce Identity Theft?, written for an upcoming Workshop on the Economics of Information Security at Dartmouth University:

"Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured (...) We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices." [Source: beSpacific.com]

Earlier Library Boy posts on data breaches include:

• Privacy Breach Resources (July 4, 2005)
• 2005 - Year of the Data Breach (November 2, 2005)
• Paper on Data Security Breach Notification (January 10, 2007)
• Recent Rash of Data Security Breaches in Canada (January 19, 2007)
• List of Identity Theft Laws in US and Canada (July 6, 2007)
• Privacy Commissioner of Canada Releases Privacy Breach Guidelines (August 2, 2007)
• Proposed Breach Notification Law Falls Short; U.S. Way Ahead of Canada (April 25, 2008)
• 2007 Annual Report of the Privacy Commissioner of Canada (June 3, 2008): "The year 2007 will no doubt be remembered in the privacy world as the year of the data breach."