CEI Experts Respond to Today’s Senate Hearing on Consumer Data Security

Washington, D.C., June 29, 2011 – Today, the Senate Committee on Commerce, Science, and Transportation held a hearing on “Privacy and Data Security: Protecting Consumers in the Modern World.” At the hearing, members of the committee addressed consumer data breach risks and discussed the possible effects of proposed data privacy legislation.

Policy analysts at the Competitive Enterprise Institute responded to today’s hearing with the following remarks:

Statement of Luke Pelican, Policy Fellow

Imposing federal standards on data security policies and breach notifications threatens the development of superior security measures and breach notification techniques that will emerge without such intervention. Companies have clear incentives to protect the data of their users and take reasonable steps to prevent breaches from occurring. If government sets standards across wide swaths of industry, companies and organizations will have an incentive to do the bare minimum for compliance, rather than innovating and seeking a competitive edge in this important area.

Internet firms make volumes of content available to consumers free of charge, funded by advertising linked to consumers’ individual interests. Restricting the ability of content providers to employ targeted marketing techniques that improve ad relevancy will ultimately harm consumers by encouraging providers to charge consumers for content that is currently unpriced. Consumers could also encounter more obtrusive, less relevant ads as a consequence of this type of legislation.


Statement of Wayne Crews, Vice President for Policy

Congress should exercise great caution before mandating federal pre-emption and compulsory “notice” of data breaches. While some public-private information sharing makes sense, in other instances the proper approach for privacy and data security is to keep information unshared. Mandating that firms report security breaches is not always the answer. Vulnerabilities may persist for days or weeks without anyone being aware, but automatic confession of every data breach or potentially exploitable vulnerability without regard to severity is not necessarily the best path to evolving information security.

Market incentives for disclosure are constantly growing, and that ethic will serve consumers better than a heavy-handed regulatory requirement. Regulation can also inappropriately impact the business of security outsourcing firms. At times, it might be best for security monitoring firms to alert one another behind the scenes, rather than for their clients to be subject to disclosure requirements. We need vibrant market incentives to encourage the sharing of what needs sharing, while downplaying false alarms or low-level risks.

Audits of interrelated privacy and security practices are increasingly being driven by insurance concerns and other market forces. Even auditors themselves may be “audited” by market actors such as ratings firms. The challenge for policymakers is to leave room for businesses to explore an array of approaches that continually prod the marketplace away from the alleged “market failure” of concealing information and toward openness as a competitive feature.