​

IN THE WAKE OF multiple high-profile thefts of consumer information, the protection of personal data held in business databases has become a hot topic. Some legislators have introduced bills that would hold companies liable for inadequately guarding sensitive data as one way to encourage greater security.

The alternative is to rely on market forces to encourage businesses to improve data security. That’s the view of the Competitive Enterprise Institute, a nonprofit group self-described as “dedicated to the principles of free enterprise and limited government.”

Clyde Wayne Crews, Jr., writes, “Contractually driven approaches that treat liability as an evolving relationship should prevail over regulatory approaches that mandate liability, or at the opposite extreme, indemnify companies from liability when technologies fail.” Criminals, not the victimized companies, should be held accountable for attacks.

The question that remains is whether companies have, in the absence of any liability, a financial reason to care what happens to the customer data they hold. The fact that companies that do business in California and many other states now have to inform customers when a breach occurs may help to create a market incentive. If courts begin to hold companies liable for mishandling data, that could create another incentive.

There is some evidence that these forces are working. For example, Visa USA Inc. and American Express cut their dealings with payment-processing company CardSystems Solutions after its substandard security allowed a hack of its computers, exposing information about tens of millions of accounts. That sent the message to other card processors that poor security could cost them business.

Sometimes, however, laws help incentivize the market. An earlier example of how government may kick-start market forces to encourage companies to act responsibly was the Y2K situation, in which companies were required to list in public filings how they were preparing for Y2K.

Jody Westby, managing director of PricewaterhouseCoopers’ security and privacy practice, says that having companies affirm in public filings that they have enterprise security programs in place—and maybe even list core components of those programs—would prove effective, just as it did when companies were forced to detail the steps they were taking to prevent Y2K problems.