***

Executive Summary: This post aggregates observations made in the two ‘Maximizing Representative Efficacy’ posts (May 2011, and Sept 2012, respectively) and recommends a computational law model by which to simplify breach notification. Doing so renders federalization of breach notification unnecessary.

***

Having just recently been approved at the House of Representative’s committee markup stage (46-9), the Data Security Act of 2015 (H.R. 2205) gained some momentum. And like many of its (demised/ailing) predecessors, this bill is also designed to take aim at and replace the nearly 50 different consumer breach notification laws in place today.

But is this bill worth all the effort? Short answer: very unlikely.

There are a myriad of reasons why a federal breach notification law is unnecessary, and, to be fair, (perhaps) an equal number in support of it. But here I want to focus on just one of these and I will start with the conclusion, which splits as follows: (1) generally, consumers are either not equipped, or ill-equipped, to deal with such a notification and (2) consumers don’t sufficiently care about it to justify Congress going to all that trouble.

I’ll start with the second proposition. In the ecosystem of online contracting there exists a contract that we all know. That we’ve all used. It contains enforceable terms, it is virtually never read and virtually always agreed to. Yes, you’re right, it’s the ‘click-through.’

Over the last 15 years of presenting on a myriad of topics that invariably deal in varying degrees with online contracting, I have time and again asked my audience, mostly lawyers and law professors, how many of them read the click-through agreement before clicking ‘I Agree.’ On less than a handful of occasions I would see a few hands go up. Nearly all of them went down once I clarified that reading terms and conditions doesn’t count when you’re billing for it.

So what does this tell us? How is this relevant to computational law?

In my post “Maximizing Representative Efficacy: Part II” I reviewed Amitai Etzioni’s Privacy Merchants in which he illustrates the dismal rate of interest consumers show in reading the fine print. L. Gordon Crovitz argued this phenomena is evidence that people don’t care because they simply can’t; they find the contractual provisions “impenetrable.”

The same principle holds true in the context of monitoring identity theft and credit scores following a breach notification. Arguably, the task at hand, even when handled by a identity/credit monitoring service, is not sufficiently simple and still within the “impenetrable” category. Congress’ efforts in streamlining notification, converting it all to a single standard ends up with a big ‘so what?’ Does that really help the consuming public?; so every consumer must be notified within 30 days… does that solve the problem we are trying to fix? If we were to gauge how many affected consumers actually understand what they are getting into, what they need to do, read the fine print associated with this activity I venture the dismal rates would be replicated here as well.

Together, the two “Maximizing Representative Efficacy” posts hint at a computational law solution that renders H.R. 2205 and its ilk unnecessary. The solution is in adopting and implementing a signaling standard. This standard synthesizes the complexity of dealing with a breach notification into easy-to-follow steps that dilute the intrinsic impenetrability. It solves the problem that consumers don’t have the right tools at their disposal.

For example, instead of issuing the scary breach notification letter, a consumer would be alerted of the breach on their smartphone through a simple icon. (Most companies have the consumer’s email address, mobile number, or other contact method.) Clicking the icon (a single click) would enroll the consumer in identity/credit monitoring (which are paid for anyway by the company that experienced the breach). Each and every substantive notification that is triggered by the monitoring service would similarly be communicated with a single icon. Every action required of the consumer would be accomplished by a single click. The icons themselves represent the relevant synthesis of the various state laws and other relevant federal laws, but these are invisible to the consumer.

Admittedly, this process and technique is not fool proof and there is quite a bit of work to iron out the wrinkles. Relatively, however, it offers the beginnings of a more practical solution than the ill-fated, expensive, impractical and inefficient efforts of the federal government.

***

Update 5/7/2017: Neural networks can play an important role in rendering the legal synthesis (which triggers the notification icons) more effective in that it can, for example, eliminate false positives. Accurately identifying the origin of data exfiltration and then using that specific data point as a cross-reference/trigger parameter can help the monitoring service determine what kind of notification (if any) should be issued and what specific recommendations will be provided to the user.