Search This Blog

Thursday, June 12, 2008


As the data breaches march aggressively on (a grand total since Jan. 2005 of 917, outing 227.3 million personal records), researchers from Carnegie Mellon University say state data breach laws don’t work. There are 43 states plus Puerto Rico that have enacted legislation, and you can check your state’s law here. If other states’ legislation is anything like Arizona where I live, you can understand why it hasn’t worked. The reason is that in many cases it is up to the company doing the breaching to determine if the loss of the individual’s sensitive data is likely to do any harm. That’s like giving the crook your credit card and asking him to let you know when he uses it.

In the TechWorld article, the Carnegie Mellon research team leader, Sasha Romanosky, says, "There doesn't seem to be any evidence that the laws actually reduce identity theft." The data came from the Federal Trade commission and included identity theft complaints filed between 2002 and 2006 to determine if state laws like California’s SB 1386 were effective. Well, they weren’t, and since the state legislation route was our only hope due to inept U.S. congressional leaders that have yet to come up with a workable identity theft law, where do we go from here? I’ll tell you where.

Form a grass-roots movement—like the one I have been raving about for three years—and force Congress to pass legislation that will give consumers control over their names and personal data, and compensate them when it is sold. It would be up to you to determine who can have access to your private information, and just what kind of junk mail or non-junk mail material you want to receive. My plan is simple and practical, easy to launch and maintain, with the result secure sensitive data for the first time since technology took its giant leap.

Carnegie Mellon admits the data isn’t perfect, but, as they perhaps beseechingly put it, it’s all we’ve got. And that in itself is a tragedy, since we are dealing here with the number one consumer fraud in America. Maybe the reason we don’t have well organized figures on ID theft is because Washington wants it that way to keep from having to address the issue. You can see the complete Carnegie Mellon study here. It’s due to be presented at a conference on information Security Economics at Dartmouth College later this month.

In the “Abstract” at the beginning of the study which is basically a summary, the conclusion is drawn that it cannot be decided, based on the data, that state laws have had any affect in curbing identity theft. However, the Carnegie Mellon team does give us a ray of hope in exclaiming that the state laws could be having other benefits such as reducing a victim’s average losses, and forcing business to clean up their security act. We’ll take anything we can get.


William Morriss said...

I think you were had by the TechWorld article. If you read the original paper by Romanosky, you'll find that they say they need more data, not that security breach notification laws don't work, something I blogged about here.

Jack E. Dunning said...

William: Perhaps you were had by interpretation. I did read the original report and pertaining to your comment, what was said was: “Proper research on the effectiveness of data breach disclosure laws is hampered by the lack of sufficient high quality data.” The key word here is hampered, not that the results are not meaningful. With a flat statement by Romanosky as follows: “We find no
statistically significant effect that laws reduce identity theft…” I still go with my conclusion that state data breach laws are not work, but maybe I should have added, ‘the way they should.’ More on this in a comment on your blog.

Jack E. Dunning
The dunning Letter