TPRC has ended
Back To Schedule
Sunday, September 29 • 9:00am - 9:35am
Evaluating Data Breach Notification Laws - What Do the Numbers Tell Us?

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Download Paper

Security and data privacy threats are rapidly emerging as one of the critical legal and economic issues for regulators. One area of regulatory attention has been the introduction of mandatory disclosure policies after a security breach in certain economic sectors. Most recently this global trend has also gained momentum in the new policies of the European Union.

This paper aims to set the basis for a comprehensive investigation of information disclosure as a policy strategy for data protection. The main objective is twofold: first, the paper develops a conceptual model to study the effectiveness of data breach notification laws (DBNL) which will support the feasibility of tailored analysis. The model captures the main causal relations around DBNL and the actors associated with them (government, companies, community, media). A proper evaluation of the effectiveness of the DBNL will be made possible not only by analyzing the number of notified security breaches over time, but more precisely by enabling the assessment of effects directly related to the behavior of single actors and their interdependencies with the system they belong to. They include economic, legal, crime and response effects(1). The model will indicate concrete and measurable proxies for casual relation measurements.

The second objective is to study empirically the relationship between specific DBNL characteristics and the number of reported data breaches. The conceptual model will be used as reference in order to empirically analyze the effects of 46 DBNLs implemented in the US based on the different state characteristics in terms of DBNLs, actors, data breach events. The analysis will be relevant not only for the American context but also for other regions, above all for the EU, given the growing attention of the European Commission for data security and transparency in cases of data breaches. Through this examination the paper will test the hypothesis that implementation of DBNL in short-term shows a high impact on decreasing the number of notified breaches and the related effects, but in mid/long-term, the changing context and the actors behavior drive this impact to lose its significance, in absence of any countermeasure such as ad hoc law amendments.

The analysis will be performed starting from a descriptive statistics supported by the availability of a database including more than 3.500 data breaches in USA made public since 2005. The breaches and organization types are classified in different categories, enabling therefore not only analysis at state level but also at sectoral level (e.g., healthcare) and breach category (e.g., hacking). The model incorporates as a control-variable the GDP produced by each sector in the different states. The data necessary to perform the analysis are: DBNL characteristics (e.g., definitions, notification-timing, penalties) drawn from the legislation in each state, notified data breaches by state, collecting single breach information from relevant databases (2), state economic and technological properties via reports of the US Economic Census Bureau and the Bureau of Economic Analysis. Additional information on effects such as identity theft is available from FTC and other publications.

The research is innovative in proposing a comprehensive model and in linking law characteristics, economic and sectoral state properties and data breaches. To my knowledge this is the first paper to perform such an empirical analysis. Earlier work has focused on specific relationships in the model, such as estimation of market impact of breach announcements, mandatory disclosure effects considering the correlation of data breaches and identity theft, and empirical analysis of data breach litigation at the state level.

avatar for Fabio Bisogni

Fabio Bisogni

TU Delft / FORMIT Foundation

Sunday September 29, 2013 9:00am - 9:35am PDT
GMUSL Room 332

Attendees (0)