In the past few weeks, I’ve gotten more than the usual number of data breach notifications. Especially from entities that I’d never heard of before the notification. This points to a specific incentives gap in privacy policy.
In most places, when there’s a data breach, you have to be notified. This creates an incentive structure for data companies to do something they’d rather not do, which is tell you their security failed. On the other hand, it offers almost no incentive for them to change their behavior to improve security, since they know perfectly well that there’s not really much you can do except throw the notification in the recycling. Sometimes you get free credit monitoring if you set it up. I don’t know what the uptake on that is, but once you have free credit monitoring, you probably won’t get it a second time for the same time period, so the more data breaches there are, the less credit monitoring costs each breach. So that cost diminishes on its own accord. For things like 401(k)’s, there’s evidence that you can increase uptake with an opt-out (rather than opt-in) mechanism, but credit monitoring takes time and information to setup, so that probably can’t be done automatically. In sum, notifications point to a problem but don’t incentivize the entities that could solve it to do so.
Recent Comments