In the past few weeks, I’ve gotten more than the usual number of data breach notifications. Especially from entities that I’d never heard of before the notification. This points to a specific incentives gap in privacy policy.
In most places, when there’s a data breach, you have to be notified. This creates an incentive structure for data companies to do something they’d rather not do, which is tell you their security failed. On the other hand, it offers almost no incentive for them to change their behavior to improve security, since they know perfectly well that there’s not really much you can do except throw the notification in the recycling. Sometimes you get free credit monitoring if you set it up. I don’t know what the uptake on that is, but once you have free credit monitoring, you probably won’t get it a second time for the same time period, so the more data breaches there are, the less credit monitoring costs each breach. So that cost diminishes on its own accord. For things like 401(k)’s, there’s evidence that you can increase uptake with an opt-out (rather than opt-in) mechanism, but credit monitoring takes time and information to setup, so that probably can’t be done automatically. In sum, notifications point to a problem but don’t incentivize the entities that could solve it to do so.
One can imagine an economist saying that consumers can penalize companies that lose their data by withdrawing their business. There’s about a thousand reasons not to believe this line of reasoning will work, but notice that even in a relative utopia, it provides zero incentives for third parties that you’ve never heard of to change their behavior. Why should they care about your opinion of them? They got your data without your even knowing they existed!
If I may take a famous article somewhat out of context, this suggests that we need to move to a liability rule for the entitlement of secure data. I can’t stop them from losing my data – I can’t even incentivize them to stop losing my data – but we need to impose a cost on them when they do so. I can’t do it myself, because the transaction costs of doing so are too high. Notification laws sense this, but they don’t go anywhere near far enough. Hence the following should be viewed as variations on a proposal:
- In addition to being required to notify consumers of a data breach, companies could be required to provide an (easy to follow and utilize) link to a payment button that transfers some defined and modest amount of money to each consumer affected by the breach (remember, breaches frequently involve millions of people. This has teeth).
- Too costly to set that up? Not enough opt-in? Ok, companies should be required to automatically send the same sum of money to a holding account. Once a year, consumers can go to the holding account and collect their money. I am under no illusion that most consumers will do this – the point is to penalize poor data security. Unused funds here could go to some worthy purpose, like funding Lina Khan’s work at the FTC.
- Really averse to involving individual consumers? All companies that retain personal consumer information have to pay a fee into a fund with investigative power over data security. The more personal the information, the more they pay. Sort of like #2, but without consumer access.
- For either #2 or #3, the money could also be used to enroll and maintain credit monitoring for anybody who opts in, just the once (or once per year).
- What about information that you actually willingly share with a known entity (says the economist)? Fine – exempt a company from having to do anything more than provide notice if and only if they can prove that the consumer whose data was breached acted directly with them (no downstream “… and anybody we sell your data to” clauses in the boilerplate).
Finally, two possible side policies:
- You can go to credit agencies and freeze your file and put fraud alerts on it. We should seriously consider a policy that all credit files are frozen until a consumer actively unfreezes them, and unfreezing should always come with a timeframe after which the file freezes again. Opt-out, not opt-in. For minors, this really ought to be the default rule (and the additional identity checks etc. that go with fraud alerts ought to be the rule for minors)
- Ban mandatory arbitration for data breach cases, and explicitly allow class actions.
Data is too cheap, and breach notifications aren’t costly enough to companies, especially the ones that you’ve never heard of. Facing real liability for breaches, they would be incentivized to improve security. Equally important, they would be incentivized to data minimization: you can’t lose data you don’t have, so you might only keep the data that you actually needed. This won’t solve data breaches, but it at least would create some better incentives than we have now. Data is cheap to buy but socially costly because of breaches (there's other reasons, but breaches are the topic here). Data companies generally externalize those costs onto consumers. We should force them to internalize them.
Recent Comments