The Obsession with ‘Data Breach Notification’

Published August 1, 2006

Despite its inherent problems, legislation on “breach notification” continues to float around Capitol Hill.

It started with a 2004 bill by Sen. Dianne Feinstein (D-CA), modeled on a California law, that would have required businesses to tell consumers when their data are stolen. The Federal Deposit Insurance Corp. (FDIC), along with other agencies, in March 2005 directed financial institutions to notify customers when their personal data are compromised.

This silly preoccupation with “data breach notification” is tantamount to locking the barn door after the horses are out. In an e-commerce environment where most barns don’t even have doors, the first obligation ought to be building stronger barns.

We all know that personally identifiable information (PII) in the wild can be abused. But we also know that a headline of “25 million veterans’ Social Security Numbers compromised” (untrue when it appeared) sells more papers than “25 million veterans’ bit streams embedded on a hard drive recovered with no access when laptop returned by fence.”

For more than a year, the media’s preoccupation has been with a so-far unsubstantiated epidemic of data breach and the fear this will produce a companion epidemic of identity abuse and other bad acts, although there’s no evidence of a causal relationship.

If we wish to have more reliable and less fretful electronic commerce and electronic government, we must adopt a systemic approach to the deposit, transmittal, storage, and custodial control of PII and other valuable data. That means better data custody practices, end to end, not just breach notification. Only the latest versions of House legislation on the subject come remotely close to reflecting the industry consensus on this important point, rather than dwelling on California’s dubious breach notification model.

Some might argue the rush to Congressional and state bill hoppers after the initial 2005 breaches is evidence of the sorry axis-of-banality between the uninformed press covering these events and the less-informed legislative staffers pandering to them and hapless constituents. I am not sure why we see ill-considered proposals in the technology area so often today. We used to see important, valuable legislation: the R&D tax credit, Cooperative Research Act of 1984, and patent-antitrust reform. Even Section 214 of the Homeland Security Act on critical infrastructure information was worth getting–even if the Department of Homeland Security has botched the implementation.

Legislating by headline is usually bad. Legislating technology by headline is certainly one of the worst examples of that sad phenomenon. Technology is nimble when controlled by the marketplace. It is often brittle as all get-out when controlled by a parliament.

Solveig Singleton ([email protected]) is a senior adjunct fellow at the Progress & Freedom Foundation. This article is adapted from an entry in the PFF blog.