Effectiveness of data breach disclosure contested
Forcing companies to admit to data security breaches may not lead to greater overall security, according to recently published research. A paper (PDF) by Sasha Romanosky, Rahul Telang and Alessandro Acquisti of the Heinz School of Public Policy and Management, Carnegie Mellon University, suggests that statutory disclosure does not significantly reduce the incidence or severity of corporate data breaches, at least in the US. The authors warn that such research is intrinsically hampered by a shortage of adequate data – in effect, by low levels of reporting. They also suggest that a considerable amount of identity theft results from other causes than corporate data breaches, which may reduce the effectiveness of statutory reporting as a control measure. The US Government Accountability Office reported officially in 2007 that only a small proportion of corporate data leaks result in fraud against the data subjects.
In the marketplace, attitudes to disclosure are strongly polarised. A survey by security vendor Clearswift of corporate attitudes in the UK concludes that 87 per cent of IT managers are against compulsory disclosure and 60 per cent are unaware of impending data breach notification legislation. The Carnegie Mellon researchers, however, suggest that publicised data breaches do not in general seem to have a long term adverse effect on stock prices.
The consumer position is quite the opposite. In a MORI poll conducted on behalf of Symantec, over 84 per cent of UK respondents stated they would definitely want to be notified in case of a data breach involving their records. This is comparable with the over 70 per cent who expressed dissatisfaction with the security of their UK banks in a recent Ponemon study. However, public attitudes may fluctuate depending on the level of the perceived threat, so in the immediate aftermath of a highly publicised breach the figures might look different. As late as August last year only 46 per cent of respondents to a survey by the Oxford Internet Institute felt at risk of information breaches on line.