Dec 022010

Sasha Romanosky writes:

I imagine most of you have received one or more letters from companies informing you that they lost your personal information. If so, what, if anything, did you do about it? Did you check your credit history?; close a financial account?; something else?; or nothing at all? If you did act, you likely did it to reduce your risk of suffering identity theft. My research question is: did it work? This is something that I’ve been examining for a number of years now.

In a paper coauthored with Rahul Telang and Alessandro Acquisti at Carnegie Mellon University, we empirically examine the effect of data breach disclosure (security breach notification) laws on identity theft. For a policy researcher, this represents a fantastic opportunity: a clear policy intervention (adoption of laws across different states), a heated controversy regarding the benefits and consequences of the laws that is both practically and academically interesting, good field data, and a powerful empirical analysis methodology to leverage (criminology).

An initial version of the paper used consumer reported identity theft data collected from the FTC from 2002-2006. Using just these data, we found a negative but not statistically significant result. In fact, I was quoted as saying, “we find no evidence that the laws reduce identity theft.” And it was true, we didn’t.

However, we have since augmented that work to include data up to 2009, which allowed us to include more observations, allowed the law to exist for longer, and allowed companies to adapt to them, and perhaps empowered more consumers to take action. We find that the laws did, indeed, reduce identity theft by about 6%. Moreover, we can say that we have a fair amount of confidence in this estimate because the results hold up to many kinds of permutations and transformations — which is very nice to see.

Read more on Concurring Opinions.

Sorry, the comment form is closed at this time.