Short shelf life for data breach laws?

Privacy expert Thomas Oscherwitz says given the rapid advancement of technology, these laws may quickly become obsolete.

3 min read
Over the past year, 23 state legislatures have rushed to pass laws requiring companies to notify consumers in the event of data breaches. At least five congressional committees are actively at work on data-breach legislation.

Data-breach laws have had a remarkable and positive effect on security practices in the United States. Corporate America now is beginning to understand and respond to the risks of unencrypted data, poorly protected laptops and inadequate security procedures. Data security is getting put on the agenda of executives at the highest levels of the corporate hierarchy, where it belongs.

However, the shelf life of data-breach protection laws could be remarkably short. Given the rapid advancement of technology, these laws may quickly become obsolete--leaving companies with burdensome notice obligations that offer little if any help to consumers.

Disclosures that are relevant for a world of data matching make little sense in a new era of sophisticated identity verification technologies.

Why the short shelf life? Look at California Senate Bill 1386, the original data-breach law, passed in 2002. This law requires notification for the compromise of a very narrow band of personal information--Social Security number, driver's license number, account number and credit card or debit card number. The law assumed that if a crook had this unique information, he or she could take over your identity.

Unfortunately, this assumption is rapidly growing outdated.

For decades, institutions have validated consumer identities through the analysis of "shared secrets" or "data matching"--personal information only the consumer would know. Traditionally, institutions would rely on Social Security numbers, mothers' maiden names or other basic identifiers as the magical passwords that would verify an individual's identity.

Increasingly, the mere possession of somebody's basic identification information is insufficient to commit fraud, as a growing number of financial and wireless institutions have tightened security significantly by applying advanced technology. Today, these businesses validate identity through scoring technologies, behavioral analysis and other risk-based analytical approaches.

Evidence of this progress can be seen in the Federal Trade Commission's recent announcement of Identity Theft Complaint Data. Despite published reports of more than 57 million breached identities last year, the FTC announced that fraud reported by consumers rose by just 3 percent last year. This is the lowest level of growth in identity theft since the FTC started recording the data in 2000.

Not all industries are as sophisticated about verification technologies, so breach notification makes sense today. As of now, your Social Security number and birth date still have value to a fraudster. The FTC recently stated that the ChoicePoint data breach caused 800 incidents of identity theft. Similarly, in a study of 70 publicly reported breaches, ID Analytics found that 70 percent were the result of crooks targeting identity information, presumably to use in perpetrating identity fraud. Crooks wouldn't be stealing data if they could not convert it into cash.

But the growth of fraud detection technology is advancing faster than fraudsters' modus operandi. Their ability to profit off of identity information is rapidly diminishing.

Data-breach notification faces the danger of any law that prescribes rules based on rapidly evolving technologies. Such laws have a tendency to look backward toward legacy technologies instead of toward the evolution of new systems.

This same dilemma plagues the Real ID Act, which requires documentary proof of identification information when applying for state driver's licenses, even though modern copying technologies make it easy to mimic 50-year-old birth records.

It applies to antispam statutes that continually are outsmarted by criminals and their evolving technologies.

It applies to any government "watch lists" that fail to recognize the recent emergence of synthetic identities--identities that are fabricated by fraudsters out of multiple sources of legitimate identity information.

Disclosures that are relevant for a world of data matching make little sense in a new era of sophisticated identity verification technologies. A federal data-breach notification law will have far-reaching impacts on consumer confidence and the future of corporate security practices. We need to get this one right.