Prevent data breaches, don’t just report them

Imagine if a state police department website listed every home burglary that occurred in the past decade. The website contains each home’s address, the items stolen and a precise description of how the criminals broke in to each home.

Such a database would make little sense, as it would provide little public benefit, and could even give burglars a roadmap for the future. But that’s exactly what some states have done for cybercrime.

A growing number of state regulators publicly post details of data breaches that have compromised the personal information of their residents. Although these state websites are well-intentioned, they serve little public good and ultimately increase the risks of additional data breaches.

All but three states require companies to notify customers when hackers acquire sensitive information, such as credit card numbers and Social Security numbers. Many of those states also require the companies to alert state regulators and credit bureaus. The notices typically provide an overview of the data breach, a description of the information that was compromised and the steps that the company is taking to prevent additional attacks.

State data breach notification laws are a notoriously complex regulatory morass, with each state imposing different requirements about the types of data that trigger the notice requirements and the precise form of notification that is required. For instance, while some states explicitly require consumer notices to describe the general circumstances surrounding the data breach, Massachusetts explicitly prohibits consumer notices from describing “the nature of the breach.”

Failure to comply with these highly technical requirements exposes companies to significant regulatory actions and private litigation. These requirements are particularly burdensome for small businesses, which often do not have dedicated legal and regulatory compliance departments. For more than a decade, lawmakers have attempted to pass a single national breach notification law that preempts the state requirements, but those efforts have been unsuccessful.

Until Congress passes a single breach notification law, businesses are stuck with the incongruous patchwork of state requirements. States hope that these required notifications will place customers on high alert of possible identity theft. These laws also are grounded in a name-and-shame rationale: Companies might invest more in cybersecurity if they knew they would be required to tell customers and regulators about data breaches.

State cybersecurity regulators should focus on preventing breaches from occurring in the first place.

The efficacy of state breach notification laws is debatable. A recent RAND survey found that more than a quarter of U.S. adults received a breach notice in the past year, and 89 percent of them continued to do business with the company that reported the breach.

There is even less support for the claim that consumers benefit when states such as California and New Hampshire post detailed information about breaches on public websites, often including samples of the notices that the companies provided to customers. This year, Massachusetts became the latest state to publicize breaches of its residents’ information, though its summaries are more limited than those in other states.

If a customer’s data was exposed in a breach, that customer presumably would receive a notice directly from the company. State attorneys general and other regulators also would have received a notice. The company already has been named and shamed to the audience that matters most. It is difficult to imagine the average customer routinely scouring state data breach lists before deciding which business to patronize.

So it makes little sense why, for example, New Hampshire publicly posted a letter from a hotel chain’s lawyer describing a malware attack that may have exposed the credit card numbers of 30 New Hampshire residents. Nor is it in the public interest for California to publicize that a healthcare system’s vendor inadvertently left patients’ personal information accessible via the internet.

Such information likely provides leads for plaintiffs’ lawyers to organize class action lawsuits against the breach companies. Indeed, it would not be surprising to learn that lawyers use such lists to find leads for potential lawsuits.

More troubling, however, is the possibility that the breach notice websites provide a useful roadmap for cybercriminals. Hackers’ most valuable tool is information. With this information, criminals could learn which companies have failed to adequately secure customer data and the types of attacks that are particularly effective against those companies. The online breach databases also might alert criminals that customers’ personal information is for sale on the dark web.

Of course, breach notices are not classified documents, so if a company notifies thousands of customers, news of the breach likely will come from the media and sources other than the state website. And companies often issue press releases about large breaches. But these state websites provide a centralized database not only of the large breaches at massive retail chains, but also attacks on small businesses and nonprofits, which probably cannot recover as quickly and protect against future breaches.

Just as the state police should focus on helping communities prevent crime rather than publicizing the buildings that have open windows or weak locks, state cybersecurity regulators should focus on preventing breaches from occurring in the first place.

The public data breach lists are a symptom of a deeper problem: U.S. cybersecurity laws place a disproportionate emphasis on notifying the public after a breach has occurred. While notice always will play a role in remediating harm, policymakers should shift their focus to preventative measures, such as more robust and clearer data security standards and incentives for investments in cybersecurity.