Data Breach (Regulatory) Effects

14 Pages Posted: 18 Apr 2015 Last revised: 10 Jun 2015

See all articles by David Thaw

David Thaw

University of Pittsburgh - School of Law; University of Pittsburgh - School of Information Sciences; Yale University - Information Society Project; University of Pittsburgh - Graduate School of Public & International Affairs; National Defense University - College of Information and Cyberspace

Date Written: June 9, 2015

Abstract

Breach notification laws have been a major driver of data protection efforts in U.S. organizations for over a decade. This form of disclosure-based regulation exists in 47 of 50 U.S. states, as well as four other U.S. jurisdictions, but has yet to be adopted as a law of general applicability at the Federal level.

This Essay considers the effects the structure of existing disclosure-based cybersecurity regulation has on the efficacy of U.S. firms' cybersecurity measures. Drawing on previous empirical work and analysis of firm incentives, it suggests two modest conclusions about the most efficacious legal structures: 1) that any disclosure-based regulation should be part of a broader cybersecurity regulatory framework; and 2) that any risk-of-harm threshold triggering notification should bear a presumption in favor of notification. Based on these conclusions, I suggest a preliminary regulatory prescription for policymakers considering adoption or standardization of disclosure-based regulation in the data protection context.

Keywords: cybersecurity, privacy, data security, data breach, security breach, breach notification, regulation

Suggested Citation

Thaw, David, Data Breach (Regulatory) Effects (June 9, 2015). 2015 Cardozo L. Rev. de Novo 151, U. of Pittsburgh Legal Studies Research Paper No. 2015-13, Available at SSRN: https://ssrn.com/abstract=2595297.

David Thaw (Contact Author)

University of Pittsburgh - School of Law ( email )

3900 Forbes Ave.
Pittsburgh, PA 15260
United States

HOME PAGE: http://www.davidthaw.com

University of Pittsburgh - School of Information Sciences ( email )

Pittsburgh, PA 15260
United States

Yale University - Information Society Project ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

University of Pittsburgh - Graduate School of Public & International Affairs ( email )

Pittsburgh, PA 15260-0001
United States

National Defense University - College of Information and Cyberspace ( email )

300 5th Ave
Ft McNair
Washington, DC 20319
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
277
Abstract Views
2,911
Rank
214,066
PlumX Metrics