  |
|
|
||||
|
||||
Do Data Breach Disclosure Laws Reduce Identity Theft?
Sasha Romanosky Carnegie Mellon University - Heinz College of Information Systems and Public Policy Rahul Telang Carnegie Mellon University - H. John Heinz III School of Public Policy and Management Alessandro Acquisti Carnegie Mellon University - H. John Heinz III School of Public Policy and Management September 16, 2008 Abstract: Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce identity theft, their full effects have yet to be empirically measured. We use panel from the US Federal Trade Commission with state and time fixed effects regression to estimate the impact of data breach disclosure laws on identity theft from 2002 to 2007. We find that adoption of data breach disclosure laws have a marginal effect on the incidences of identity thefts and reduce the rate by just under 2%, on average. While this effect is marginal, reducing identity theft is only one means by which these laws can be evaluated: we appreciate that they may have other benefits such as reducing the average victim's losses or improving a firm's security and operational practices.
Keywords: information disclosure, data breach disclosure, security breach notification, economics of information security, identity theft, fixed effects regression JEL Classifications: C23, K10, L51 Working Paper SeriesDate posted: September 19, 2008 ; Last revised: June 29, 2009Suggested CitationContact Information
|
|
||||||||||||||||||
© 2010 Social Science Electronic Publishing, Inc. All Rights Reserved.
FAQ
Terms of Use
Privacy Policy
Copyright
This page was served by apolloa 3 in 0.406 seconds.
One-Click Download
Facebook
Twitter
Digg
Del.icio.us
CiteULike
