Re: Researchers Say Notification Laws Are Not Lowering ID Theft Incidents

[Chris Walsh <chris () cwalsh org>]

A fair point, but plenty has been written about the notion of name and  
shame with these laws.  The idea being that embarrassment or threat  
thereof will induce firms to do the right thing.  This is specifically  
recognized in the paper (refer to figure 4, for example).

Regardless of whether the legislators sought to reduce ID theft, and  
whether it makes sense to think that selfishly-acting firms might help  
reduce it when faced with embarrassment, the repeated descriptions of  
this paper as showing that ID theft is not reduced are wrong.  The  
paper does not conclude that ID theft is not reduced.  It fails to  
conclude that it is reduced.  There's a difference, which seems to be  
eluding the press.

With better data (which the authors say they would like to see  
collected), we'd have much more to say.  THAT, it seems to me, is the  
story here.

On Jun 5, 2008, at 10:01 AM, Adam Shostack wrote:

> There's also no evidence that the laws reduce baggy pants.  But that
> was't their intent either. Their intent was to reduce the *impact* of
> id theft.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml