Data Theft Risk Overblown, Expert Says
Despite rampant anecdotal reports, solid data documenting a rise in credit card misuse are “very hard to come by,” an Emory U. economics expert said Fri. Offering Congressional staffers a contrarian outlook on data theft, law professor and Progress and Freedom Foundation (PFF) fellow Paul Rubin said not only has incidence not risen significantly, but research indicates fewer consumers actually are affected by breaches. He cited surveys by the FTC and e-commerce firm Javelin. Over time, Nielsen studies of the credit card industry show a drop in losses related to fraud, Rubin added. He credited card firms’ use of increasingly sophisticated misuse detection tools and growing expertise at flagging fraud.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Headlines ballyhoo tales of ID theft victims, but when it comes to bearing burdens inflicted by fraudsters, consumers incur only a fraction of crime costs, Rubin said. Financial institutions that are breached absorb much of the cost, giving them “strong market incentives” to deploy the best security available. A consumer whose personal data is compromised in a breach risks losing roughly $500 plus post-facto identity-protection expenses, Rubin said. Visa estimates that of all those whose data reportedly are compromised, only 2% actually endure measurable losses, he said.
More than 70% of ID theft has nothing to do with online data, Rubin noted, calling Internet-based transactions far safer than traditional transactions, which leave paper trails. But if lawmakers “beat up on companies for data losses,” they may scare consumers away from doing business on the Web and return to paper-based spending - whereupon incidents of ID theft could climb, he said.
An acknowledged regulation foe, Rubin advocated a federal law preempting state-imposed data security measures. State laws are “all over the map” and more are on the way, he said. States requirements for consumer notification vary, meaning data brokers must adhere across the board to the strictest state law - a bigger albatross around industry’s neck than lawmakers might have intended. Rubin urged Congress to impose a limited mandate giving data brokers flexibility in their precautionary and reactive breach-related practices.
Electronic Privacy Information Center (EPIC) Exec. Dir. Marc Rotenberg came down on the other side, calling Rubin’s argument hogwash. Regardless of whether one consumer in 20 or one in 200 is affected by ID thieves, the crime remains one of the country’s most prevalent, and deserves Washington’s attention, Rotenberg said. The first step to addressing the problem is accord on what constitutes effective notification; the 2nd is devising incentives for better privacy and security standards in business, Rotenberg said. Data brokers don’t operate like most consumer-oriented firms, he said. Those most concerned about risks from the industry -- consumers whose data are being bought and sold -- aren’t the companies’ customers.
Setting a federal baseline and giving states freedom to legislate upward is the best solution, Rotenberg said. Some will present good ideas that will be adopted; others will propose bad ideas that will be ignored, he said. Rotenberg disputed Rubin’s argument that compliance with 50 state laws unduly burdens the industry. “We're talking about businesses who keep highly detailed profiles on individuals. If you know a person’s state, why can’t you ensure that your practices for the data comply with the state law required for the person whose information you're collecting and selling?” Rotenberg asked: “Of any industry that has to deal with the question of multistate regulation, the data broker industry is in the least good position to argue that they don’t have the ability to comply with multiple state laws.”