Kim Zettner of Threat Level discusses the different views expressed at a seminar last week on whether data breach notification laws do any good.
As expected, the upshot was “we don’t know” because there are not enough data, surveys may not be reliable indicators, etc.
Of course, there is another way to frame the issue of whether such laws do any good, which is to recognize that prevention of identity theft is not necessarily the sole or even the most important reason for entities to be required to disclose breaches.
If a steward of your personal information assures you that your data will be protected and then it isn’t, should they be obliged to let you know that your data have been lost, stolen, possibly misused, etc? Consumers can choose to stop doing business with an entity that loses their data, they can choose to dump the notifications in the garbage, unopened, they can choose to sign up or not sign up for any services offered. But the choice needs to rest with the individual whose personal information has been compromised, and that requires notification.
So… are existing breach notification laws adequate if one recognizes that ID theft may not be the main reason to notify? Some state laws (like California’s) are better than others, and new breach notification provisions in the stimulus bill will increase notification of health-related data breaches, but no notification law is worth a damn if the entity doesn’t even know that it’s been breached or is left to make the decision to notify based on its own determination of risk of ID theft. As far as this privacy advocate is concerned, breach notification is a “right to know” issue even more than a “need to know” issue.