Data Security Legislation: The Benefits and Costs of Notification Requirements

Published July 1, 2006

About 30 states have online data security laws, and federal bills addressing the subject are moving through both houses of Congress.

These bills vary considerably in scope but generally include requirements to establish a data security program; requirements for notification of affected individuals in the event of a security breach; and provisions that affect the collection and commercial use of personal information.

Paul Rubin, professor of law and economics at Emory University and an adjunct Progress & Freedom Foundation fellow, and I performed an economic analysis of notification requirements for data security breaches.

Benefit-Cost Analysis

We found that the annual cost of identity theft and related frauds is $55 billion, $50 billion of which is borne directly by businesses, including banks, credit card issuers, and merchants. Companies clearly have strong incentives to spend money on data security.

It is less clear whether firms also have adequate incentives to notify compromised consumers. The issue is an empirical one: Do the benefits of notification outweigh the costs?

The expected benefits to consumers of a notification requirement are extremely small–on the order of $7.50 to $10 per individual whose data have been compromised. This is because most cases of identity theft do not involve an online security breach. Only a very small percentage of individuals compromised by security breaches–perhaps 2 percent–actually become victims of a fraud. Most of those are victims of fraudulent charges on their existing credit accounts, for which they have very limited liability to begin with.

The direct costs of notification may be less than $10 per individual (our estimate of the maximum benefit), but only for relatively large notification programs. This is at least in part because most data security statutes permit less-expensive notification methods (e.g., email or posting on a Web site) once a dollar or number-of-victims threshold is reached.

However, the major costs to be concerned about are not the direct costs of notification. Rather, they are the costs incurred when consumers and firms overreact and take actions that are harmful to themselves and to the free flow of information. Consumers, for example, may be induced to place fraud alerts on their accounts or close them entirely, actions that are likely to be far more costly than being an identity theft victim.

Because a notification mandate is dubious on benefit-cost grounds, it should be written carefully. Any mandate should permit firms themselves to determine which customers are most at risk and tailor notice to those individuals.

Effect on Small Business

The effect of data security regulations on small businesses should be an important part of the benefit-cost calculus. These regulations impose a per-unit burden that is inversely related to the size of the company–that is, a notification requirement applied to small firms is less likely to pass a benefit-cost test than a requirement applied to large firms. In addition, the added costs could have an adverse effect on competition, because they make it more difficult for firms to enter markets in which the use of personal information is important.

Data security regulation disproportionately affects small firms in several ways.

The requirement to establish a data security and notification program involves costs that are largely fixed. Establishing such a program entails retaining specialized expertise, including computer, data management, and legal expertise, either in-house or from outside. So does assessing the risks associated with a breach and designing the notice and the rest of the program. These costs are likely to vary little with the size of the firm and therefore are higher per unit of output for small than for large firms.

Moreover, without federal preemption, companies are faced with the prospect of familiarizing themselves with numerous different state laws to make sure they are in compliance. Federal preemption, if enacted, would eliminate these costs and work to the advantage of small firms.

Finally, it is important to note that any regulation of the information sector that raises the costs of targeted advertising and obtaining accurate customer lists has a greater adverse effect on new entrants and small firms than it does on large, established firms. This is particularly true for Internet advertising, where established firms have lists of their own customers and visitors to their Web sites, but new firms must purchase such lists. If regulation should reduce the size of the list market and increase costs, competition from new entrants would be reduced.

None of this is meant to imply that data security regulations are necessarily a bad thing. But such regulations must be subjected to rigorous benefit-cost analysis to assure that, if adopted, their benefits are sufficient to justify their costs.

Thomas Lenard ([email protected]) is senior fellow and senior vice president for research at the Progress & Freedom Foundation. This article is adapted from testimony before the House Committee on Small Business’ Subcommittee on Regulatory Reform and Oversight.

For more information …

The July 2005 report by Thomas Lenard and Paul Rubin, “An Economic Analysis of Notification Requirements for Data Security Breaches,” can be found online at