What Do We Know About Data Breaches? Empirical Evidence from the United States

Abstract

The aim of the chapter is to assess data breach risk. In particular, severity of the risk is quantified and factors determining its severity are identified. We take a number of records compromised in one data breach incident as a proxy for severity of the data breach risk. This chapter helps to learn from the experience of almost 15 years of data protection and data breach notification regulations in the United States. It offers an interesting insight into the state of cybersecurity that can be indicated by a number of data breaches. Based on the Privacy Rights Clearinghouse database, we examine the statistical properties of data on data breaches disclosed in the United States from 2005 to 2016. The size of our dataset is 5102. The Kruskal–Wallis test is applied to verify our hypotheses. The severity of data breach is modeled by the Pareto distribution. The chapter concludes with several interesting results. Negligent data breaches appear twice more frequently than malicious ones. The dominant causes of data breaches vary by organization type. It suggests that cyber risk management strategies should be tailored to the individual profile of an entity. Surprisingly, implementation of the data breach notification state laws in the United States has not affected the number of breach incidents reported in particular states. Cause of data breach, type of organization, and geographical region are statistically significant factors that diversify the population of affected organizations in terms of severity of the loss.