Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?
Posted: 25 Mar 2015 Last revised: 27 Sep 2016
Date Written: August 15, 2015
While the discussion about a federal law on data breach notification is ongoing and a rash of large, costly data breaches has galvanized public interest in the issue, this paper investigates on the phenomenon of data breach notification letters in terms of their content. We explore the causal link between on one side state specific notification regimes, breached organisation industry-sectors and breach types that generate notifications and on the other side the type and timing of the communications issued by organisations. This will contribute to shed light on the ultimate resulting effects of the current set up of the data breach notification laws in US. In particular, based on the observed companies’ behaviour, do these laws act predominantly on the reputational fear of the breached organizations increasing company security measures or on the mitigation that customers can put into place once the communication is received?
In order to perform such analysis we empirically answer to the questions below labeling a sample of letters according to the messages customers may perceive when they read them. Specifically, over 400 notifications issued in U.S. in 2014 are classified based on elements that can be isolated and analysed, e.g. (1) does the letter alarm the customer about possible consequences or does rather belittle the event (2) is the customer in the position to immediately identify the importance of such a missive, or can the letter mislead the addressee, who qualifies it as spam. The analysis of the content of the letters is also extended to the time span between the data breach and the delivery of the notification to the customer.
According to these intentional choices made by organisations when composing and sending notifications, we are able to depict pitfalls and opportunities generated by the possible implementation of a federal data breach notification law in U.S. in opposition to the present state of the art.
The research is innovative in presenting objective findings related to notification timing, notification style, and notification content more in general. It is based on 445 letters issued in 2014 in 4 States, representing more than 50% of Data Breaches reported in U.S. in the same year (783 according to ITRC - Identity Theft Resource Center).
Keywords: data breach notification laws, data breach disclosure, data breach litigation, security breach notification effects, federal data breach notification law
JEL Classification: K20, K40, L51
Suggested Citation: Suggested Citation