​

WHEN SENSITIVE consumer information is stolen, the risk of identity theft rises. Many states have notification legislation; but, writes Michael Turner of the Information Policy Institute, federal rules are needed to prevent “patchwork responses.”

Turner, in Towards a Rational Personal Data Breach Notification Regime, explains that a legislative solution is necessary because “market forces may undersupply notification,” since companies may not wish to notify consumers of a breach if the cost of doing so exceeds the expected damage to the company. However, if a notification trigger is set too low, consumers may eventually stop paying proper attention to a bombardment of notices.

Turner recommends restricting notices to breaches only of certain types of information (those that could be used to perpetrate a fraud), providing a safe harbor when stolen data are encrypted or otherwise inaccessible, and cherrypicking the best elements of state laws into a federal law.