Shostack + Friends Blog Archive

 

The Cost of Disclosures, and a Proposal

So there’s a spectre haunting my arguments for disclosure, the spectre of cost. I’m surprised none of my critics have brought it up yet.

Mailing notices to people, and handling their questions can be expensive. When the personal data being lost is a credit card number, I don’t care that much. When it’s medical data, my national id number, or other data which can be used to harm people, I care more.

I’d be perfectly willing to forgo personal notification of the theft of credit card numbers. I just don’t think it’s that important, and the liability lies with the banks and the merchants. In contrast, the outcome of my SSN being abused falls back to me, in credit reports, false arrests, etc. Personal notification regarding SSNs will be important until we have a society where I’m in control of my personal information and how it’s used to identify and authenticate me. Personal notification around medical and other information will always be important.

The tradeoff I’ll offer up is I’ll stop caring about personal notification of credit card breaches, if we can agree that a decent, in-depth analysis of what goes wrong should be filed in some public way, and that any organization who does that should get some degree of protection against negligence claims. That analysis is being done anyway, so the additional costs are pretty minimal. The additional legal concerns that raised by telling what happened can be addressed by adding some protections. It’s essentially trading the public good of more information to analyze for protection against legal claims being built on that information.

3 comments on "The Cost of Disclosures, and a Proposal"

  • Iang says:

    Bringing up “it costs too much” is a poor argument when we haven’t yet figured out what is the right thing to do. Although SB1386 was a big win, I don’t think we want to glorify it and claim it perfect. Before there was nothing, now there is something. We still have a lot more distance to travel.
    The fundamental reason you have to be notified is that you are the only one who can properly assess your own risk. You have more info on these risks than anyone else; the person who lost the info has none of this information.
    So you are right in saying:

    When the personal data being lost is a credit card number, I don’t care that much. When it’s medical data, my national id number, or other data which can be used to harm people, I care more.

    But, I might make the precise reverse choice. You have no way of knowing, and neither does the company who quasi-posted my data on the net. (As it happens, I don’t have an SSN, but I have a CC, and the CC liability for me *does not fall back to the issuer* so I care little about the SSN and everything about the CC.)
    You need to show that risk is best off handled and understood at a global not personal level, and that relies on some flights of fancy like “government knows better” or “my risk profile is equal to yours.”

  • rG0d says:

    I don’t think you know how much credit card fraud can impact your credit. As Iang notes in his previous post – not all credit-card issuers protect you against card-fraud, and many that do require you to notify them within 40 days (or similar amounts) of time, otherwise the cost is yours.
    As I’ve noted in my own blog post, the amount of power credit reporting agencies have over their ability to ruin us is daunting – and playing casual with that data is by no means a smart thing to do.
    In point of fact, I propose in my blog posting to remove (or at least control) some of the power they have.

  • nowen says:

    I agree with Ian. I’m the one who can best decide my risk. Also, if I’m out $50 because of a merchant’s negligence, I want my $50 back from them.

Comments are closed.