An Economic Analysis of Notification Requirements for Data Security Breaches

19 Pages Posted: 23 Jul 2005  

Thomas M. Lenard

Technology Policy Institute

Paul H. Rubin

Emory University - Department of Economics

Date Written: July 20, 2005


In this paper, we examine the costs and benefits of laws requiring businesses to notify consumers if their private data is compromised, such as the law in California and other state and federal laws recently passed or proposed. Identity theft and related frauds do not seem to be increasing in recent years, and may be decreasing. A 2004 Survey finds virtually identical results to a survey in 2003, and industry reports find no increase. This may be because credit card companies have increasingly sophisticated detection methods to prevent fraud. In addition, there are strong industry incentives to maintain security. Firms bear almost all of the cost of fraud, and firms suffering such fraud exhibit large stock losses in event studies. The cost to individuals of all sorts of identity theft, weighted by frequency and adjusting for time costs, are about $1000 for actual victims. Most identity theft (at least 70%) is based on data obtained offline, not online. The probability of a victim whose data is compromised actually being victimized is about 2%, so the maximum savings from notice is only $20. For various reasons (including time to receive notice and likely action if notice is received) the actual benefits are more likely to be about $10. The costs of notice include actions such as fraud alerts which consumers may take which are likely to be more costly than the benefits. New credit cards cost between $10 and $20. Even though online commerce is safer than offline commerce, consumers receiving notice may decide to do business offline, thus increasing their risk. Firms may also react strongly to minimize reputation losses; this may have perverse effects, as when it becomes more expensive for new businesses to obtain data about potential customers. Thus, any laws mandating notice should be limited. Finally, state laws that have already passed differ in significant ways, but since this is at least a national market, notice will probably be the same in all states. This means that the most restrictive set of state laws will overall govern in all states. This is an argument for federal preemption in this issue.

Keywords: fraud, identity theft, internet security, preemption

JEL Classification: K00, K14, K29

Suggested Citation

Lenard, Thomas M. and Rubin, Paul H., An Economic Analysis of Notification Requirements for Data Security Breaches (July 20, 2005). ; Emory Law and Economics Research Paper No. 05-12. Available at SSRN: or

Thomas M. Lenard (Contact Author)

Technology Policy Institute ( email )

1401 Eye St. NW
Suite 505
Washington, DC 20005
United States
(202) 828 4405 (Phone)

Paul H. Rubin

Emory University - Department of Economics ( email )

1602 Fishburne Drive
Atlanta, GA 30322
United States
404-931-0493 (Phone)
630-604-9609 (Fax)


Paper statistics

Abstract Views