find no statistically [significant] evidence that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce
The folks at Bank Technology News pick up this ball and run with it, proclaiming in a headline:
Study: Data Breach Laws Don’t Reduce ID Theft
This is, quite simply, wrong. Absence of evidence is not evidence of absence. Maybe the data just aren’t good enough (something we at EC have been complaining about — and even trying to fix — for some time).
Since the Bank Technology News article is behind a pay wall, I can’t read it. I hope it is more accurate in conveying Romanosky, et. al.’s recommendations than it is regarding their conclusions.
Those recommendations will be familiar to EC readers, and are worth quoting at length:
Proper research on the effectiveness of data breach disclosure laws is hampered by the lack of sufficient, high quality data. Hoofnagle argues that the current collection of identity theft records come from surveys and anecdotal accounts (Hoofnagle, 2007). He claims that current information is not sufficient and that banks and other organizations should be
required to release identity theft data to the public for proper research. We certainly agree with this view. To the extent that reporting and other biases can be reduced, it will allow researchers to more accurately measure the impact of disclosure laws. Moreover, we believe that the proper collection of identity theft victimization, and consumer and firm loss data will be a valuable tool for researchers, policy makers and consumers. We therefore join others (Samuelson, 2007) in supporting the
following recommendations to policy makers:
Create a single, federal data breach disclosure law that covers all persons, private organizations, data brokers and state and federal agencies. This single law should reduce conflict between states laws and lower the barrier for compliance.
Standardize the content of notifications to include only pertinent information (no marketing brochures) that includes actionable information for the consumer (e.g. date of breach, type of personal information lost, and customer support contact information).
Define an oversight committee to be notified of all breaches. This will create an authoritative source of breach data that can be made available to policy makers, researchers and consumers.
I haven’t given this paper the time it deserves, so I’ll reserve comment. I’ve read it attentively enough to know that contrary to what some in the trade press may think, the jury is definitely still out on whether identity theft is decreased by breach laws.