Do US State Breach Notification Laws Reduce Firm Data Breaches?

Abstract

We ask whether US state laws requiring notification when firms suffer data breaches actually decrease data breaches. From 2003-2018, 50 states and the District of Columbia enacted breach notification laws (BNLs) mandating firms to notify states after suffering data breaches, undertake breach mitigation, pay fines for non-compliance, and be liable for damages to the public and private individuals. BNLs were supposed to reduce data breaches and create a market for data privacy, wherein firms could strike their preferred balance of data security for and cost to consumers. We find no evidence supporting this supposition. Results from multi-state difference-in-difference analyses indicate no significant change in annual breach counts or breach magnitudes following BNL enactment. Results also indicate no significant long-term change in rates of identity thefts, fraud, and related data misuse. These non-effects persist for different firms, time-periods, and types of BNLs. We conjecture that inconsistent state notification standards and inadequate state dissemination of information about firm leaders and laggards in data security explain BNL ineffectiveness to date. We propose a new US federal regime to address these shortcomings and let a national BNL achieve goals state BNLs clearly failed to meet.