“Your Epidermis is Showing!”

When I was a young nerd, alerting kids about the exposure of their epidermis was a favorite school-bus taunt, a great one to use on kids whose vocabulary wasn’t above grade-level like mine. “Epidermis” is, of course, a fancy word for skin. A good deal of everyone’s epidermis is showing most of the time, and it doesn’t matter. But kids can unnerve other kids just by telling them that they are exposed in ways they don’t understand, and that’s a fun thing to do.

Such is the flavor of news that data breach reports are up 69 percent so far in 2008. It sounds bad, and in a sense it is: By definition, a “breach” of data is an unintentional release. But the important question is whether a data breach results in any kind of actual harm.

There has been some research on the relationship between data breach and identity fraud, and the connection is fairly weak. New account fraud, which is the most damaging to consumers because of its effect on their financial reputations, takes some guile and work. The limiting factor on new account fraud is probably time and effort, not access to the kinds of information released in the garden variety data breach.

Much credit has been awarded to laws requiring disclosure of data breaches, especially California’s breach disclosure law, S.B. 1386. It’s worth noting that the news item linked first above cites a rise in reports of data breaches, not a rise in actual breaches. One would expect more reports as more entities come into compliance with disclosure laws. The rate of actual breaches and any trends are not part of this reporting.

A paper presented at WEIS 2008 Workshop on the Economics of Information Security last week has some relevant information. The paper is called “Do Data Breach Disclosure Laws Reduce Identity Theft?” and it finds “no statistically significant effect that [data breach disclosure] laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited.”

Of course, data breach disclosure laws may cause firms to improve their data security practices, but doing so for compliance purposes and not for harm prevention will cause them to overspend on data security, with the costs passed on to their customers in the form of higher prices and to owners in the form of lower dividends and stock prices. Spending on security that doesn’t cost-effectively secure against real threats lowers consumer welfare, as economists would say.

The damage that might be done by any data breach is very contextual. Sometimes consumers should be alerted about it, and sometimes alerting them is a waste of everyone’s time. Sometimes other responses are more appropriate, and sometimes data breaches require no response at all. People have worked hard to tailor data breach disclosure laws, but this kind of regulation is inherently a clumsy instrument, and, again, disclosure may not even be the right response.

It’s looking more and more like data breach disclosure laws parallel the schoolyard taunt “your epidermis is showing.” Three years ago, I wrote about data security regulation suggesting that common law liability for holders of sensitive data might be a better way to ferret out the right responses to data breaches, and to make sure that data holders internalize risks. I’m still above grade-level, you see … .