At least, that's the conclusion of a soon-to-be-presented report
from researchers at Carnegie Mellon University in Pennsylvania.
The paper - based on analyzing four years worth of ID theft complaints filed to the Federal Trade Commmission between 2002 and 2006 - begins by weighing the pros and cons of state data breach notification law, of which there are 43 versions. (Makes you wonder what the other seven states are up to?)
Anyway, the pros go like this: The laws force companies to analyze their security practices; customers are given the right to know if their personal information has been compromised; and researchers, law enforcement and lawmakers are able to figure out who's best at securing their data and who's not.
The cons: Unnecessary costs, reduced innovation and commerce (the idea here is that there may be a hesitation to use customers' personal information to introduce something new), and coping with multiple versions of essentially the same law. This is especially important when one considers that the probability of becoming a victim of ID theft because of a data breach is somewhere around 2 percent.
The conclusion: "We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce."
The report reasons that this may be attributable to the fact that breaches are a small cause of ID theft. So therefore, even if ID thefts as a result of breaches went down, the total number of ID thefts wouldn't move much because most are caused by things like lost wallets and dumpster diving, not lost laptops.
The report's authors recommend a federal notification law and that the notification letters contain more information related to the breach.
My take: Whether these state laws are doing anything to reduce IT theft may be irrelevant. What they are doing is raising awareness about IT security - and that is more important than everything.