In “Access controlled by a password,” Phillip Hallam-Baker writes:
It probably makes sense to have an exception of this type in the first instance when the law is enacted. Otherwise we may well drown in privacy disclosure notices.
I must say, I don’t get this objection. Does it apply to any other bit of information disclosure? Are we drowning in SEC regulatory filings? National Crime Victimization Surveys? Statistical Abstracts of the United States? (How ought one pluralize that, anyway?)
Sure, there may be lots of notices. Sure, those notices may, to a degree, be fiscally inefficient. However, the stock market doesn’t think they matter a great deal (see “Does Lost Data Matter?“) At the same time, as Phill points out:
In the longer term the problem with such exceptions is that lost laptops are a major cause of data loss and there is at least anecdotal evidence to suggest that stolen laptops do trade for the information on them. A few months ago I had lunch with Simson Garfinkel who remarked that there is a correlation between the price of used disk drives on EBay and the purposes that they appear to have been used for.
We should sweep any such evidence under the rug, before it becomes apparent that there are material weaknesses in all sorts of controls.
The reality is that while companies are actually working to improve the security of their data with things like drive encryption, consumers are not (near as I can tell) getting either bored or overwhelmed with notices. Seems like sunlight is a fine disinfectant.