Evaluating Data Breach Notification Laws - What Do the Numbers Tell Us?
21 Pages Posted: 22 Mar 2013 Last revised: 29 Sep 2013
Date Written: August 15, 2013
Security and data privacy threats are rapidly emerging as one of the critical legal and economic issues for regulators. One area of significant regulatory attention has been the introduction of mandatory disclosure policies after a security breach in certain economic sectors. Most recently this global trend has also gained momentum in the new policies of the European Union.
This paper aims to set the basis for a comprehensive investigation of information disclosure as a policy strategy for data protection. The main objective is twofold: first, the paper develops a conceptual model to study the effectiveness of data breach notification laws (DBNL) which will support the feasibility of tailored analysis. The model captures the main causal relations around DBNL and the actors associated with them (government, sectors, community, law enforcement, media). A proper evaluation of the effectiveness of the DBNL will be made possible not only by analyzing the number of notified security breaches over time, but more specifically by enabling the assessment of effects directly related to the behavior of single actors and their interdependencies with the system they belong to. They include economic, legal, crime and response effects. The second objective is to study empirically the relationship between state DBNL and the number of reported data breaches, based on an evaluation of single law features. In order to estimate the correlation between state DBNL and sectoral data breach notifications an ad hoc methodology for law severity assessment has been developed and illustrated. Pursuing this second objective the research has tested the negative correlation between law severity and issued notifications in profit driven economic sectors. The analysis suggests that implementation of more severe DBNL has higher impacts on decreasing the number of notified breaches, but context changes and actors behavior drive this impact to lose its significance, in absence of any countermeasure such as ad hoc law amendments or revision.
The investigation is run on a US data set, however its outcomes are relevant not only for the American context but also for other regions, above all for the EU, given the growing attention of the European Commission for data security and transparency in cases of data breaches.
Keywords: data privacy, data breach notification laws, security breach disclosure effects, security breach litigation, law evaluation model
JEL Classification: C23, K40, L51
Suggested Citation: Suggested Citation