The debate sparked by the ChoicePoint scandal can lead to an enduring, effective solution to the information security problem. But this will happen only if all the interested parties are prepared to forsake legislative business as usual in the interest of a genuine compromise.
With each new revelation by ChoicePoint, another information broker, or a financial institution victimized by information theft, the pressure for action grows. Federal and state legislators have already proposed literally dozens of bills, and more are doubtless in the works.
If the legislative debate follows this well-worn course, there is a significant risk that the regulatory structure that emerges will remain a patchwork of badly integrated federal and state laws that impose new obligations or liability on the industry but do little if anything to genuinely improve information security. All participants will be dissatisfied with this outcome, but everyone will be too exhausted by the struggle to reopen debate until the next scandal erupts. Then the cycle will repeat itself.
The lack of certainty about the legal standards for information security should by now be clear to all observers. We don’t even know where the authority to establish such standards resides. The FTC? All agencies with Gramm-Leach-Bliley regulatory authority? The courts? As a preliminary matter, this jurisdictional question cries out for clarification.
The cost to consumers has received the most media attention, but with the availability of information so central to the business of many financial services firms, the industry arguably has as much at stake economically as anyone in preventing breaches, if not more.
The costs associated with breaches and uncertainty about the legal environment are increasing all the time.
The outlines of several possible compromises that would materially benefit both consumers and the industry are already clear.
We could empower a single agency to write clear information security regulations, establishing explicit standards for administrative, technical, and physical safeguards (including notification of a breach), with no liability for consumer harm that occurs despite compliance with those standards and strict liability for such harm if an institution failed to comply.
The standards would apply to all financial institutions handling consumer information. Under this compromise, the industry would get a safe harbor. Consumers would get certainty about what they could expect in the way of security and meaningful redress for industry failure.
Alternatively, we could prohibit the establishment of any standard (in any administrative action or state or federal litigation) other than “reasonableness in the industry” but leave enforcement of this standard to the courts. Under this compromise, consumers would retain all the perceived benefits of the tort system while the industry would be able to set the regulatory standard with which it would be expected to comply.
We could even achieve compromise by stepping entirely outside the usual consumer-protection paradigm. Information security, one could argue, is akin to on-the-job safety — a broadly distributed social good that is occasionally found to be unintentionally lacking.
Consumers and the industry could agree on a publicly coordinated insurance scheme for information security, on the model of workers’ compensation, that would preclude private actions in most circumstances. This would help the industry by keeping costs predictable, and it would help consumers by giving them the certainty of compensation when a breach occurs. Like workers’ compensation, the financial institutions with the highest claim ratios would, over time, pay the most in premiums, so there would be a financial incentive for strong controls.
There are doubtless other possible compromises. Working out the details is always difficult, but not doing that work virtually guarantees another round of ill-conceived, piecemeal legislation that will benefit neither consumers nor the industry.
