Study examines whether data breach notification laws work

Aniket Kesari of NYU's Information Law Institute has written Do Data Breach Notification Laws Work? Here's the abstract:

Over 2.8 million Americans have reported being victims identify theft in recent years, costing the U.S. economy at least $13 billion in 2020. In response to this growing problem, all 50 states have enacted some form of data breach notification law in the past 20 years. Despite their prevalence, evaluating the efficacy of these laws remains elusive. This Article fills this gap, while further creating a new taxonomy to understand when these laws work and when they do not.

Legal scholars have generally treated data breach notification laws as doing just one thing—disclosing information to consumers. But this approach ignores rich variation: differences in disclosure requirements to regulators and credit monitoring agencies; varied mechanisms for public and private enforcement; and a range of thresholds that define how firms should assess the likelihood that a data breach will ultimately harm consumers.

This Article leverages the Federal Trade Commission’s Consumer Sentinel database to build a comprehensive dataset measuring identity theft report rates since 2000. Using staggered adoption synthetic control – a popular method for policy evaluation that has yet to be widely applied in empirical legal studies – this Article finds that whether identify theft laws work depends on which of these different strands of legal provisions are employed. In particular, while baseline disclosure requirements and private rights of action have small effects, requiring firms to notify state regulators reduces identity theft report rates by approximately 10%. And surprisingly, laws that fail to exclude low-risk breaches from reporting requirements are counterproductive, increasing identify theft report rates by 4%.

The Article ties together these results within a functional typology: namely, whether legal provisions (1) enable consumer mitigation of data breach harms, or (2) encourage organizations to invest in better data security. It explains how these results and typology provide lessons for current federal and state proposals to expand or amend the scope of breach notification laws. A new federal law that simply mimics existing baseline requirements is unlikely to have an additional deterrent effect and may preempt further innovations. At the state level, introducing private rights of action may help at the margins, but likely suffers from well-identified issues of adequately establishing standing and damages. States that close loopholes surrounding breach requirements for encrypted data see lower identity-theft report rates, which suggests that other states may be wise to tighten these requirements as well. Looking forward, states should experiment with solutions such as automatically enrolling consumers in identity theft protection services or providing direct incentives for strong data security.

CFP for Berkeley Consumer Law Scholars Conference extended to 9/23

The abstract & outline submission deadline for the Consumer Law Scholars Conference has been extended to next Friday, September 23. Please see below for the information we received with submission instructions.

Abstracts & Outlines Due September 23

Please consult the conference webpage for more information on the conference format, important dates, and expectations for abstract submissions. If you would like to workshop an unpublished paper, please submit HERE by September 23, 2022: (1) a title, (2) a brief abstract that includes an explanation of how your article relates to other published work and advances the field, and (3) an outline of the article.

Examples of submissions from previous years showing the appropriate format may be found here.

Drafts of complete papers (suitable for workshop discussion) will be due January 31, 2023.

Fleming Scholars Program

We particularly encourage scholars who are currently working at legal services organizations to submit abstracts and to participate in the conference. The Fleming Scholars Program was launched two years ago in memory of our colleague Anne Fleming, who was a legal aid attorney before turning to academia. The program provides support, including conference travel costs and mentorship opportunities, for legal aid lawyers with scholarly aspirations. Please contact us if you are interested.

We look forward to seeing you in March 2023!

Sincerely,

The CLSC Organizing Committee: Kathleen Engel Ted Mermin Manisha Padi Rory Van Loo Lauren Willis

Feel free to contact Ted Mermin (tmermin@law.berkeley.edu), and/or conference logistics coordinator Ben Hiebert (ben.hiebert@law.berkeley.edu ) with any questions.

Rapid Growth of “Buy Now, Pay Later” Lending

The Consumer Financial Protection Bureau published a report today on the "Buy Now, Pay Later" industry. The report, Buy Now, Pay Later: Market trends and consumer impacts, finds that industry grew rapidly during the pandemic, and that borrowers may receive uneven disclosures and protections. The five firms surveyed in the report originated 180 million loans totaling over $24 billion in 2021, a near tenfold increase from 2019.

The CFPB says that this type of loan serves as a close substitute for credit cards, and that the agency will work to ensure that borrowers have similar protections when using these loans as when they use credit cards.

Patagonia founder gives away the company

Patagonia founder's is giving away his company, reportedly worth about $3 billion. The company will now be in the hands of a trust and a nonprofit organization. All future profits will be donated to help fight climate change.

CNBC has the story, here.

CFPB and CMS address illegal nursing home debt collection practices

The Consumer Financial Protection Bureau has "released an Issue Spotlight highlighting some of the difficulties and experiences heard from caregivers about being pursued over friends’ or family members’ alleged debts from nursing home facilities. Based on the findings in the report, the CFPB and the Centers for Medicare & Medicaid Services have issued a joint letter confirming that a nursing care facility may not require that a third-party caregiver personally guarantee payment of a nursing home resident’s bills as a condition of the resident’s admission to the facility. Such conditions violate the Nursing Home Reform Act and, as discussed in a new Consumer Financial Protection Circular issued [yesterday], subsequent attempts to collect debts from caregivers may violate the Fair Debt Collection Practices Act and the Fair Credit Reporting Act."

The CFPB's press release is here.