Abstract
We ask whether US state laws requiring notification when firms suffer data breaches actually decrease data breaches. From 2003-2018, 50 states and the District of Columbia enacted breach notification laws (BNLs) mandating firms to notify states after suffering data breaches, undertake breach mitigation, pay fines for non-compliance, and be liable for damages to the public and private individuals. BNLs were supposed to reduce data breaches and create a market for data privacy, wherein firms could strike their preferred balance of data security for and cost to consumers. We find no evidence supporting this supposition. Results from multi-state difference-in-difference analyses indicate no significant change in annual breach counts or breach magnitudes following BNL enactment. Results also indicate no significant long-term change in rates of identity thefts, fraud, and related data misuse. These non-effects persist for different firms, time-periods, and types of BNLs. We conjecture that inconsistent state notification standards and inadequate state dissemination of information about firm leaders and laggards in data security explain BNL ineffectiveness to date. We propose a new US federal regime to address these shortcomings and let a national BNL achieve goals state BNLs clearly failed to meet.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.