When Data Security Regulations Fail, There Is an Alternative


If you hadn’t heard of ChoicePoint before, you have now. ChoicePointis a data aggregator‑a company that collects information aboutpeople, reselling it in different combinations to a variety ofclients. Most of the time, data aggregation is a beneficialprocess. It adds brains to the economy, helping designers, makers,marketers, and sellers of goods and services do a better job forconsumers. Data aggregation helps employers, insurers, and lendersmake smarter decisions faster.

For good or bad, ChoicePoint has cured the data aggregationindustry’s obscurity problem. Headline after headline has discussedthe fallout since ChoicePoint revealed that it was duped intoselling sensitive information about 145,000 people to fraudsterslast year. The scammers set up a series of fake businesses toappear like legitimate buyers of financial information. Theirpurpose was to use it in later identity frauds.

In the wake of the ChoicePoint affair came a deluge of other disclosures. Hoping to obscuretheir errors in the onrushing press whirl, or having quicklylearned the importance of disclosure, a series of companies andinstitutions revealed similar breaches. Among them were payrollcompany PayMaxx, Bank of America, LexisNexis’ Seisint, severaluniversities, and a shoe retailer called DSW.

It would be wrong to say that the consumer data industry hadbeen without controversy. Its well‐​known members, the creditbureaus, have been besieged for years by complaints aboutinaccuracy and unfairness. This despite the Fair Credit ReportingAct, a federal regulatory scheme imposed 30 years ago to addressinaccuracy and unfairness in credit reporting. The FCRA was amendedin 2003 to address inaccuracy and unfairness in credit reporting.Again.

To the extent they are known, the other data aggregators arepoorly understood and mistrusted. They have no consumer face‐​noteven the limited exposure of the credit bureaus. Little is knownabout what data they collect and how they get it, or to whom theysell it. Several of them, unfortunately, have engaged with the federal government,hoping to provide data mining and surveillance services.

Cued by the new press attention to data security, senators andrepresentatives have stepped in front of earnestly scribblingreporters announcing their plans to make us safe. A variety ofbills in the House and Senate would mandate “fair” informationpractices, require notice of breaches, and force data aggregatorsto provide consumers with access to personally identifiableinformation, plus the right to correct it. Many of these arelong‐​dead proposals that have nothing to do with data security.Indeed, some would undermine it even further. But no matter. TheAmerican public and media are ready to be buffaloed.

The companies that allowed these data breaches are blameworthy,to be sure. Bank of America moved tapes with financial data aboutmillions of account holders by ordinary air transport. It issurmised that the tapes were lost or that baggage handlers simplystole them.

Of carelessness like this, Sen. Patrick Leahy (D‑VT) said, “Idon’t know what these people are thinking.” It’s a good rhetoricalpoint. But it may have an equally good answer.

You see, one thing Bank of America may have been thinking aboutis the federal government’s “Safeguards Rule.” This is a datasecurity regulation that was mandated by Congress in the 1999Financial Services Modernization Act, also known asGramm‐​Leach‐​Bliley. Intended to ensure the security of financialdata about consumers, the regulation requires financialinstitutions to:

  • designate one or more employees to coordinate datasafeguards;
  • identify and assess the risks to customer information in eachrelevant area of the company’s operation, and evaluate theeffectiveness of the safeguards for controlling those risks;
  • design and implement a safeguards program, and regularlymonitor and test it;
  • select appropriate service providers and contract with them toimplement safeguards; and
  • evaluate and adjust the program in light of relevantcircumstances, including changes in the firm’s businessarrangements or operations, or the results of testing andmonitoring safeguards.

Maybe Bank of America was too focused on this federally mandatedsecurity paperwork to focus on actual data security. Inany event, federal data security regulation did not work.

Regardless, politicians’ calls for “stronger” regulation arepredictable because “stronger” regulation is “better”-in a pressconference. In the real world, however, regulation is no morecapable of divining threats to data security than, say, a commonlaw liability regime, or even businesses’ natural interest inmaintaining their operations, integrity, image, brand, andassets.

As noted, data aggregation gives our economy brains. The newregulations being proposed would put a thumb on the carotid arteryof information‐​based businesses, making them a little woozier, alittle less aware, and a little less able to serve and protectconsumers.

What matters with breaches such as ChoicePoint, Bank of America,and all the rest is whether anyone was harmed. Was a data‐​richcomputer stolen and used for target practice on a backyard shootingrange or was its trove of information used in hundreds or thousandsof frauds?

Rather than hurried, one‐​size‐​fits‐​all federal regulation,imagine a rule where negligent holders of sensitive data sufferliability for damage caused by breaches. Imagine they have to payinjured parties for the consequences. Ten thousand breaches causing$1000 damage would cost a negligent data holder $10 million, alongwith adverse publicity and all the rest. Under such a rule,breached companies would race to shore up the damage becausefurther damage would create further liability.

Attractive proposals like mandatory breach notifications mightbe useful sometimes. Just as often, notification would be asideshow with no role in preventing consumer harm. Occasionally,notification would tip off computer thieves to the fact that theyhave also stolen data they could use in identity fraud. This stiff,one-note reaction pales in comparison to the multi‐​faceted responsethat would be gotten from putting the responsible party in thefinancial shoes of victims. Special damages-“civil penalties” andthe like‐​are not appropriate: The objective is proportionalresponse, and such things would detract from that.

Data security regulation is a proven failure. There is analternative to more of the same. But how do we create thisintriguing negligence rule? What has to be done?

Nothing. Just watch and wait. The rule has already been adoptedby common law courts in New Hampshire and Michigan.