Data protection is an important issue for businesses, especially e-commerce retailers. But it’s important to remember that it takes a thief to commit identity theft, and that businesses are liable for the costs of every 9 out of $10 in ID thefts.

Many businesses acknowledge there are potential benefits to requiring notice of data security breaches. Data protection legislation typically requires consumer notification of a breach and the implementation of security measures to safeguard consumer information. Consumers who receive timely notice can monitor their credit accounts for unauthorized charges and add fraud alerts to their credit reports.

NetChoice helps inform policymakers about the costs and unintended consequences of data breach legislation. Over-notification will occur if consumers receive notices for situations that don’t pose a risk of identity theft, and will de-sensitize them to situations of true risk. That’s why most businesses have advocated a risk-based trigger for notice obligations. In addition, some state notification bills created the risk of massive private lawsuits against companies who missed technical notice requirements. Moreover, a rush to pass security breach notification bills has already created an unworkable system of inconsistent and incompatible state laws.