"Recent very high profile breaches of databases with personal information make it an issue that we cannot ignore," said Michael Turner. "Some legislation is necessary. But in the rush to respond to the real dangers of potential identity theft, we need to make sure that notifications are structured to do more good than harm." The study finds:
- Identity theft and fraud have not been growing, and the damage done has been declining.
- Responses by industry are having a positive impact in preventing identity crimes and reducing the damage done.
There are nonetheless good reasons to require consumer notification. Notification can direct a consumer's attention towards their accounts and credit files, allowing them to monitor activity in their name and minimizing the damage done. How and when consumers are notified, the study goes on to argue, matters a great deal for minimizing damage. If consumers are "over-notified" they will pay less attention and fail to direct their efforts to incidences where monitoring is crucial. The study points out four factors to be considered:
- How the "trigger" or breach that prompts notification is defined is crucial in avoiding "over-notification" where consumers are inundated with information.
- Uniformity in the notification requirement matters; a federal and pre-emptive requirement can prevent a fragmented patchwork of rules and "over-notification".
- Notification should also take into account legitimate and desirable business activity, by being flexible so that some business models are not excessively hampered.
- Effective notification requires that the needs of law enforcement and third-party data brokers be considered in order to better address the crime.
