Information Disclosure as a light-weight
regulatory mechanism
DIMACS
Deirdre K. Mulligan
Director, Samuelson Law, Technology & Public Policy Clinic
Clinical Professor of Law
Boalt Hall School of Law
Information School
University of California
If you build it they will come…
or maybe not…
The existence of technology solutions on
their own does not improve security or
privacy.
Creating incentives for security
Security failures

FTC Federal Advisory Committee on Online Access
and Security (2000)
–
Underinvestment in security


–
Relatively non-existent security market

–
–
Missing data points
4 options
2 preferred



Numerous breaches every year
Consumers/regulators largely unaware
Maintain a security program
“appropriate under the circumstances” duty of care
Problem: How to create a flexible duty of care
–
–
Legislation/regulation, industry self-reg, courts, tort, media
Limitations on all…
Creating a flexible duty of care

Findings from Emergency Planning and Community
Right-to-Know Act (EPCRA)
–
–
–

Huge drops in releases (EPA estimated 40%, but likely less)
Operational changes within companies
Remarkable changes from lighter, less costly approach
Why?
–
–
Incentives
Enabled





benchmarking, rationalizing of investment
Democratic participation
Collaborative decision making
Risk assessment (insurance/investment)
Provoked a race to the top
–
–
Avoided one size fits all, top-down, hard to adapt standards
Provided incentive structure to develop internal processes to
manage risk, improved tools available to management
Creating a flexible duty of care


Traditional Regulation
Information Disclosure
–
Emergency Planning and Community Right-to-Know Act
(EPCRA)



Gets government out of the middle
Widely copied model
Sunlight as disinfectant
–
–
Rhetoric

–
FOIA, FACA…
Private action
Reality

Drive performance through transparency and public oversight
–
Wide range of players able to use information for various purposes
California


What happens if we apply this to security
Privacy as pollution
–

Industrial society  information society
History of Security Breach Disclosure
–
–
–
–
–
SB 1386 (Simitian/Peace)
Effect July 2003
Eye opening
32+ other states follow
Federal legislation on 2007 Congressional agenda
(Feinstein)
Role of policy in creating incentives

Effects of Security Breach laws
–
More information

–
–
–
Broad reach -- electronic data
Privacy laws highly fragmented, sectoral, difficult to adjust
Security process focused  lacking performance metrics


–
Absent legal requirement only 20% of firms will report serious breaches
(FBI/CSI 2005)
We have no proof that process produces good outcomes
Don’t know how to measure security, but this introduces at least one
measure of failure which….
Put a price tag on failure







Average cost $182 per person (Ponemon 2006)
$75 per notice
Remedial services (credit monitoring etc.)
Heightened churn rates
Public relations, unwanted attention from AGs, FTC, trial lawyers
Effects stock prices to some extent (Acquisti et. al.)
Influences insurance, ratings etc. (possibly)
Role of policy in creating incentives

Effects of Security Breach laws con’t
–
Altered assessments of investment

–
Altered attention within institutions? anecdotal





–
“encryption of data done in advance of a breach may now be cost
effective…” -- L. Sotto
Security audits
Elimination of non-necessary personal information
Bifurcated databases
Tighter access control
Attention to risks of portable devices and media
Individual activity

Potentially greater use of
–
–
–
credit monitoring
Opt-out lists
Privacy hygiene
Predictions?

Success of EPCRA
–
–
–
–
–
structured information
Widely available
NGOs repackaging and recontextualizing
Regulatory agencies with substantive responsibility for issue
Result -- wide range of uses





Individual empowerment
Policy reforms
Self regulatory efforts
Internal reforms
Does it translate?
Predictions?

Limitations of Security Breach Legislation
–
–
–
–
No standard information
Severity of breaches sometimes unclear
Rarely centralized reporting (notice to individuals)
NGOs not activated around this data


–
–
push for federal legislation was silly, no need for it
No one is leveraging the data
No regulatory agency(ies) with substantive responsibility
Predict -- more limited effect

Individual empowerment-- some, but limits on shopping with feet
–



Lots of third-party leaks which consumers can’t shop for
Policy reforms -- maybe, little reflection on effects, benefits, arguing over
harm to consumers rather than focusing on benefits to computer
security within firms
Self regulatory efforts -- uncertain
Internal reforms -- yes, but not well documented
Research

Notices
–
–
110 analyzing for breach type, relationship to consumer,
remedial measures, disclosure practices
What are the causes of breaches

Identify strategic measures to address
–

Policy, technical, procedural, educational
Qualitative interviews
–
–
Organizational behavior literature
CSOs on SB 1386

–
Related to current project on CPOs
What policies yield what changes in organizations



Investment, staffing, process and procedure, technology
acquisition, product development, priority in organization etc.
Compliance v. compliance plus
Which produce race to the top in context of security?
Research Team
Deirdre K. Mulligan, Clinical Professor
Chris Jay Hoofnagle, Senior Fellow and Senior
Attorney
Olive Huang ph.d / j.d.
Drew Lewis undergraduate