Day 3: Experts talk about ID theft
Members of News.com's ID theft roundtable panel open up a discussion with News.com editors and our readers.
The members of this Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.
Click here to return to the main discussion page.
Who should be responsible?
From: Jim Harper
Subject: Pre-emption and Common Law
Tue, 25 Oct 2005 19:53:29 PT
Chris has articulated well the flaws in the argument for national regulation. Though I tend to think that many of the experiments in legislating are mistaken, states should be free to make those mistakes and they should live with the consequences.
It's a fairly thin argument to complain about a "patchwork quilt," I think. Most of my friends in the free-market community give it a lot of credence, though, because of the obvious inefficiency of varied regulation throughout the country. But this proves too much. Under this theory, almost all regulation could migrate to the federal level. Americans would live under a remote government in which there is little of the experimentation, comparison, and competition among jurisdictions that is such an important structural protection for liberty, lower taxes, and more sensible regulation.
A little efficiency can cost a lot if the result is a sick politics, and I believe we've got that. A good example is here with us: a state Senator who openly seeks federal regulation, which almost assuredly will undermine state power. California has passed some reckless legislation lately, like that bizarre antispam bill a few years ago, and been rescued from the consequences by federal preemption. Thus, no one has come back to their state legislator and asked, "What were you thinking?" They should.
(Chris, you might have enjoyed a brief momentary sense of solidarity a paragraph back. Sorry to wreck it . . . .)
Back on the common law question: I think the fundamental difference between Chris and me is that I'm arguing for a process, and he's arguing for a result. Correct, the Amy Boyer case was hard to prove. The point is not that it should be easy. The common law is not a tool of the anti-commercial left. It's a route to just and efficient law.
Rules like this should be adopted slowly and carefully because it's easy to do injustice when you're exploring uncharted territory in terms of technology, information practices, and so on.
Folks who want to do these kinds of things through legislation are not interested in the most fair or most efficient rule. They are trying to impose their view of the good on everyone else, using the capture of a temporary majority in a legislature to do so. That's wrong.
It has helped the proregulatory crowd to collapse all the issues into the word "privacy." Chris slips and slides among identity fraud, true privacy, and even murder, calling them all "privacy." This helps confuse and rile the population, all to the good for politicians. They offer facile half-answers that advance their political careers, but the problem still festers.
Hey, Senator Simitian, you are a public official and I'm a big fan of accountability. So how about answering this question: Has identity fraud fallen in California since A.B. 700 went into effect more than 2 years ago? If the results aren't in yet, what baseline do you plan to use?
From: Chris Hoofnagle
Subject: Common Law Questions
Tue, 25 Oct 2005 20:40:29 -0700
Jim is slipping from ad hominem to the vagueness fallacy.
Jim argues, "I think the fundamental difference between Chris and I is that I'm arguing for a process and he's arguing for a result. Correct, the Amy Boyer case was hard to prove. The point is not that it should be easy. The common law is not a tool of the anti-commercial left. It's a route to just and efficient law."
Okay, what is that proposed process? If we look at it now, the result is that most privacy wrongs would never be remedied because of the obvious difficulties in bringing tort suits. That, generally, is what has happened when plaintiffs try to protect information privacy with the tort system. So the *result* at some level speaks to the *quality* of the process.
How would unwanted telemarketing, junk faxes, and wireless phone telemarketing be better addressed by tort law than regulation? Would we sue the caller, the broker who sold the list? Where's the duty?
How will tort rules improve upon the access, correction, auditing, and limit on disclosure rules in the FCRA? Would we just have to sue constantly to get discovery in order to see whether our credit files have been released?
In regards to Boyer, what reasonable measures should be employed to protect data? Should we leave that up to a jury?
For identity theft victims, should they just sue everyone in sight and subpoena all of their credit card companies, in order to determine who breached their data?
How about this: tort law allows a person to recover damages in some circumstances where no harm has occurred, but the risk of harm has increased. What if every American sued data brokers collectively to argue that their risk of identity theft was increased by some of their practices? There's growing evidence that list brokers are being used by scammers to identify victims. What would you think of a class action against the entire array of companies that sells lists of personal information for heightening risk of fraud?
Finally, what makes judges better than legislatures? Aren't they elected in many states, or appointed by people who are elected? Isn't there a whole cadre of ideological candidates being groomed to basically legislate from the bench?
From: Jim Harper
Subject: Common Law Answers
Tue, 25 Oct 2005 22:05:15 PT
I may have been unclear, and maybe that's frustrating. The process I am talking about is the adoption of legal rules through common law.
Each of the concerns you have asked me about has a different source and a complicated solution. Some of them have to do with privacy, but others have to do with other information policy issues. And many of your apparent priorities, such as "auditing" are probably just not shared widely or required by justice. So you can't fault common law if these outlier demands are not met.
But I will explain as to our topic, data security: Given a general duty to protect the subjects of data, data holders are obligated to consider the threats to the security of data and the consequences should a breach occur. They must take reasonable steps to protect against breaches and, should one occur, take steps to mitigate the harm to consumers. To the extent they fail, they owe money to the injured party.
There is a legitimate question about how victims of identity theft would discover if a data holder was responsible. To understand the answer, you must consider the incentive created by the rule. A data holder that fails to secure data and then attempts to hide from that would send its liability rocketing skyward because of increased direct costs, punitive damages, and perhaps criminal liability.
Failing to own up to a breach and--more important--failing to protect the consumer would be a bet-the-company decision. Would someone choose wrong? Perhaps so, once in a while. But no more than someone would choose to violate a statutory disclosure requirement. So, as to disclosure, you've got parity between the two regimes. Among companies hoping to stay in business, the liability rule creates not only a disclosure practice but many other consumer-protective practices going well beyond the anemic notice required in the California disclosure law.
The members of this Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.
Click here to return to the main discussion page.
Who should be responsible?
From: Jim Harper
Subject: Pre-emption and Common Law
Tue, 25 Oct 2005 19:53:29 PT
Chris has articulated well the flaws in the argument for national regulation. Though I tend to think that many of the experiments in legislating are mistaken, states should be free to make those mistakes and they should live with the consequences.
It's a fairly thin argument to complain about a "patchwork quilt," I think. Most of my friends in the free-market community give it a lot of credence, though, because of the obvious inefficiency of varied regulation throughout the country. But this proves too much. Under this theory, almost all regulation could migrate to the federal level. Americans would live under a remote government in which there is little of the experimentation, comparison, and competition among jurisdictions that is such an important structural protection for liberty, lower taxes, and more sensible regulation.
A little efficiency can cost a lot if the result is a sick politics, and I believe we've got that. A good example is here with us: a state Senator who openly seeks federal regulation, which almost assuredly will undermine state power. California has passed some reckless legislation lately, like that bizarre antispam bill a few years ago, and been rescued from the consequences by federal preemption. Thus, no one has come back to their state legislator and asked, "What were you thinking?" They should.
(Chris, you might have enjoyed a brief momentary sense of solidarity a paragraph back. Sorry to wreck it . . . .)
Back on the common law question: I think the fundamental difference between Chris and me is that I'm arguing for a process, and he's arguing for a result. Correct, the Amy Boyer case was hard to prove. The point is not that it should be easy. The common law is not a tool of the anti-commercial left. It's a route to just and efficient law.
Rules like this should be adopted slowly and carefully because it's easy to do injustice when you're exploring uncharted territory in terms of technology, information practices, and so on.
Folks who want to do these kinds of things through legislation are not interested in the most fair or most efficient rule. They are trying to impose their view of the good on everyone else, using the capture of a temporary majority in a legislature to do so. That's wrong.
It has helped the proregulatory crowd to collapse all the issues into the word "privacy." Chris slips and slides among identity fraud, true privacy, and even murder, calling them all "privacy." This helps confuse and rile the population, all to the good for politicians. They offer facile half-answers that advance their political careers, but the problem still festers.
Hey, Senator Simitian, you are a public official and I'm a big fan of accountability. So how about answering this question: Has identity fraud fallen in California since A.B. 700 went into effect more than 2 years ago? If the results aren't in yet, what baseline do you plan to use?
From: Chris Hoofnagle
Subject: Common Law Questions
Tue, 25 Oct 2005 20:40:29 -0700
Jim is slipping from ad hominem to the vagueness fallacy.
Jim argues, "I think the fundamental difference between Chris and I is that I'm arguing for a process and he's arguing for a result. Correct, the Amy Boyer case was hard to prove. The point is not that it should be easy. The common law is not a tool of the anti-commercial left. It's a route to just and efficient law."
Okay, what is that proposed process? If we look at it now, the result is that most privacy wrongs would never be remedied because of the obvious difficulties in bringing tort suits. That, generally, is what has happened when plaintiffs try to protect information privacy with the tort system. So the *result* at some level speaks to the *quality* of the process.
How would unwanted telemarketing, junk faxes, and wireless phone telemarketing be better addressed by tort law than regulation? Would we sue the caller, the broker who sold the list? Where's the duty?
How will tort rules improve upon the access, correction, auditing, and limit on disclosure rules in the FCRA? Would we just have to sue constantly to get discovery in order to see whether our credit files have been released?
In regards to Boyer, what reasonable measures should be employed to protect data? Should we leave that up to a jury?
For identity theft victims, should they just sue everyone in sight and subpoena all of their credit card companies, in order to determine who breached their data?
How about this: tort law allows a person to recover damages in some circumstances where no harm has occurred, but the risk of harm has increased. What if every American sued data brokers collectively to argue that their risk of identity theft was increased by some of their practices? There's growing evidence that list brokers are being used by scammers to identify victims. What would you think of a class action against the entire array of companies that sells lists of personal information for heightening risk of fraud?
Finally, what makes judges better than legislatures? Aren't they elected in many states, or appointed by people who are elected? Isn't there a whole cadre of ideological candidates being groomed to basically legislate from the bench?
From: Jim Harper
Subject: Common Law Answers
Tue, 25 Oct 2005 22:05:15 PT
I may have been unclear, and maybe that's frustrating. The process I am talking about is the adoption of legal rules through common law.
Each of the concerns you have asked me about has a different source and a complicated solution. Some of them have to do with privacy, but others have to do with other information policy issues. And many of your apparent priorities, such as "auditing" are probably just not shared widely or required by justice. So you can't fault common law if these outlier demands are not met.
But I will explain as to our topic, data security: Given a general duty to protect the subjects of data, data holders are obligated to consider the threats to the security of data and the consequences should a breach occur. They must take reasonable steps to protect against breaches and, should one occur, take steps to mitigate the harm to consumers. To the extent they fail, they owe money to the injured party.
There is a legitimate question about how victims of identity theft would discover if a data holder was responsible. To understand the answer, you must consider the incentive created by the rule. A data holder that fails to secure data and then attempts to hide from that would send its liability rocketing skyward because of increased direct costs, punitive damages, and perhaps criminal liability.
Failing to own up to a breach and--more important--failing to protect the consumer would be a bet-the-company decision. Would someone choose wrong? Perhaps so, once in a while. But no more than someone would choose to violate a statutory disclosure requirement. So, as to disclosure, you've got parity between the two regimes. Among companies hoping to stay in business, the liability rule creates not only a disclosure practice but many other consumer-protective practices going well beyond the anemic notice required in the California disclosure law.