Submission Number: 00187
Received: 12/14/2010 9:31:49 AM
Commenter: Sasha Romanosky
Organization: Carnegie Mellon University
Agency: Federal Trade Commission
Initiative: A Preliminary FTC Staff Report on "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers"
Attachments: No Attachments
Greetings, There has been much discussion regarding both the consequences and benefits of requiring companies to notify individuals when their information has been lost or stolen. In an updated analysis of the effect of these US state data breach disclosure (security breach notification) laws, we use consumer-reported identity theft data from the FTC, over the years from 2002-2009 and we find that laws have, indeed, reduced identity theft by 6%. While it is difficult to qualitatively evaluate this reduction (i.e. is it good? Is it enough?) we believe this is a positive result and we welcome the opportunity to share these results with this Committee. Moreover, we believe it is the only study that attempts to rigorously evaluate the effect of these laws on consumer outcomes. The full paper is available at http://ssrn.com/abstract=1268926 and the citation is: Romanosky, Sasha, Telang, Rahul and Acquisti, Alessandro, Do Data Breach Disclosure Laws Reduce Identity Theft? Forthcoming in the Journal of Policy Analysis and Management, 2011. cheers, Sasha Romanosky