In the modern digitized and networked world, personal identifying information has quickly become a commodity that can be traded, sold, or given away like any other. Personal identifying information can be copied infinitely, is often not protected nearly as well as physical commodities, and, most importantly, can have particular importance to the person identified by that information. The information collected is often given willingly as a legitimate part of a business transaction. It is when that information is removed from the original context it was given in that the problem arises. Giving the original producers of information knowledge on how to avoid theft of that personal identifying information is currently accomplished, however, insofar as it is accomplished at all, by a number of different incentive structures. These incentives include negative consequences for businesses that allow data to be stolen from them, as well as state laws that mandate disclosure of data breaches to those consumers who may be affected.
Existing incentives ultimately do not appear to accomplish the desired result: drastically reducing the number of data breaches that impact consumers. To address this concern, some analysts have suggested a move away from indirect incentives and toward affirmative incentives regarding the storage of users’ data. This article examines these incentives, question whether and why they do or do not work, and explores the need for further legislation. This article will also offer some ideas for future legislation that modifies the existing incentive structure to better accomplish the goal of consumer protection.
chulman, Ross. "Disincentives to Data Breach: Problems with Notification and Future Legislative Possibilities.” American University Legislation and Policy Roundtable, Spring 2009, 54-67.