Data Breach Notification Research Articles

Data Breach Notifications in the UK

Data Breach Notifications in the UK

Why information security law has been ineffective in addressing security vulnerabilities: Evidence from California data breach notifications and relevant court and government records

Why has the information security law been unsuccessful in having firms in possession of personal data take precautions against data breaches? Why are data breaches becoming more devastating notwithstanding law enforcement? This article seeks an answer from the legal system’s failure to draw a line between agency problems and externalities inherent in the information security market. Although a firm’s misaligned incentive to invest in security measures is basically an agency problem to be addressed by data breach litigation, the U.S. courts’ reluctance to grant Article III standing has reduced potential plaintiffs’ chance of winning and propensity to litigate, impairing the functionality of the private enforcement. As an exception, security vulnerabilities can have the nature of negative externalities to be addressed by the public enforcement, to the extent that those in “key holders” such as payment card processors enable intruders to easily circumvent the security measures taken by other firms in the same security chain, and that those in massive data aggregators undermine public trust in the whole data infrastructure. Government regulations, which need to be targeted at such sources of negative externalities, have actually been misaimed at a few cases arising from conventional agency problems. To test these hypotheses, this article presents an empirical study of security breach notifications filed in California during 2012–2016 and relevant court and government agency records produced until 2018.

Beyond Mandatory: Making Data Breach Notifications Useful for Consumers

Data breaches pose significant security and privacy risks to affected consumers. However, it is doubtful whether data breach notifications mandated by respective laws effectively inform consumers of risks stemming from a data breach and motivate them to take protective actions.^5,8,12 We analyze potential reasons for consumers' inaction after a data breach and discuss how data breach notifications and respective requirements should be improved.

Legally Cognizable Manipulation

Swaths of personal and nonpersonal information collected online about Internet users are increasingly being used in sophisticated ways for online political manipulation. This represents a new trend in the exploitation of data, where instead of pursuing direct financial gain based on the face value of the data, actors engage in data analytics using advanced artificial intelligence technologies that allow them to more easily access individuals’ cognition and future behavior. Although in recent years the concept of online manipulation has received some academic and policy attention, the desirable relationship between cybersecurity law and online manipulation is not yet fully explored. In other words, regulators and courts have yet to realize the importance of linking cybersecurity law to individual autonomy, privacy, and democracy. This Article provides an account of the desirable relationship between cybersecurity law and other values, such as autonomy, privacy, and democracy, by looking at the phenomenon of online manipulation achieved through psychographic profiling. It argues that the volume, efficacy, and sophistication of present online manipulation techniques pose a considerable and immediate danger to autonomy, privacy, and democracy. Internet actors, political entities, and foreign adversaries carefully study the personality traits and vulnerabilities of Internet users and, increasingly, target each such user with an individually tailored stream of information or misinformation with the intent of exploiting the weaknesses of these individuals. This Article makes a broader argument about cybersecurity law and its narrow focus on identity theft and financial fraud. Primarily, this Article looks at data-breach notification law, a subset of cybersecurity law, as reflective of that limited scope. It argues that data-breach notification law could provide a much-needed backdrop for the challenges presented by online manipulation, while alleviating the sense of lawlessness engulfing current misuses of personal and nonpersonal data. At the heart of this Article is an inquiry into the expansion of dated notions of cybersecurity law. Presently, cybersecurity law’s narrow approach seeks to remedy materialized harms such as identity theft or fraud. This approach contravenes the purpose of cybersecurity law—to create legal norms protecting the confidentiality, integrity, and availability of computer systems and networks. If cybersecurity law seeks to protect individuals from the externalities of certain cyber risks, it needs to recognize emerging threats targeting computer systems and networks, and subsequently, individual autonomy, privacy, and democracy.

How readable are data breach notifications?

Data breaches – broadly defined as incidents where protected data that is considered sensitive and confidential has been disclosed, accessed and/or altered in an unauthorised manner – present a growing threat to society and organisations. While much of the focus to date has been on technical countermeasures, particularly the ways to prevent and detect security threats associated with data breach incidents, we also need greater insights into the readability of the notification response used by firms to alert affected consumers after a suspected incident has taken place. Data breaches – where protected data that is considered sensitive and confidential has been accessed in an unauthorised manner – present a growing threat to society and organisations. While much of the focus to date has been on technical countermeasures, we also need greater insights into the readability of the notification response used by firms to alert affected consumers after a suspected incident has taken place. Stephen Jackson of the University of London examines ways in which we can judge how comprehensible breach notifications are and how we can go about improving them.

An analysis of the effectiveness of the EU data breach notification obligation

In this paper we study the law and economics of the EU data breach notification obligation (EU DBNO), which is part of the general data protection regulation. We start our discussion with the origins and aims of the EU DBNO. Following this, we study the social benefits of the DBNO and the conditions for these social benefits to emerge. Next, we analyse whether there would be spontaneous notification without the existence of a DBNO. We discuss how the national DPAs, that are responsible for the execution of the EU DBNO, can sufficiently induce data controllers to comply with the regulation. We also discuss the scope of the regulation from a social welfare perspective, in particular the conditions, which trigger a notification from data controllers.

The introduction of data breach notification legislation in Australia: A comparative view

This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.

Fool Me Twice: An Analysis of Repeat Data Breaches within Firms

Data breach notification laws in the United States mandate firms to take remedial actions when consumer data is compromised. Interestingly, the policies contained within these laws vary by state and by year of law enactment. We investigate the effects of the various policies to determine how firms respond to the implementation of data breach notification laws. Drawing upon institutional and deterrence theory, we hypothesize that firms facing stricter sanctions resulting from a data breach will experience fewer subsequent breaches in comparison to other firms. We create a unique panel data set using breach information collected between 2005 and 2016 to estimate several panel regressions with fixed effects. Our results show that policies that increase the costs associated with a data breach reduce a firm’s subsequent breaches by up to 50%, depending on the policy. Our findings are consistent across several robustness models and offer unique theoretical contributions to the information security literature as well as practical contributions to policymakers and security experts.

A comparison of data protection legislation and policies across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement.The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.

Strengthening data privacy: the obligation of organisations to notify affected individuals of data breaches

ABSTRACTThe Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) introduced a new Part IIIC into the Privacy Act to strengthen the existing information privacy laws by requiring the designated organisations to notify the Information Commissioner and affected individuals of data breaches that are likely to cause serious harm. The objective of this article is to consider the proper public policy basis for data breach notification laws, the likely ambit of operation of the new provisions and the merits of the law in enhancing data security. Whilst the article focuses on the Australian legislative framework, the provisions European Union’s new General Data Protection Regulation 2016/679, 27 April 2016, will also be considered to extend the discussion of appropriate law in this area. The article will conclude by identifying continuing areas of concern and suggesting initiatives to further strengthen the data privacy of individuals.

A Comparison of Data Protection Legislation and Policies Across the EU

Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement. The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are front runners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.

Compelling truth: legal protection of the infosphere against big data spills.

The paper explores whether legal and ethical concepts that have been used to protect the natural environment can also be leveraged to protect the 'infosphere', a neologism used by Luciano Floridi to characterize the totality of the informational environment. We focus, in particular, on the interaction between allocation of (intellectual) property rights and 'communication duties', in particular, data breach notification duties.This article is part of the themed issue 'The ethical impact of data science'.

Global InfoSec and Breach Standards

The European Commission's General Data Protection Regulation (GDPR) offers contextual data security and breach notification standards applicable to organizations located or doing business in the EU. These regulations are compared to US and Canadian standards. Although each jurisdiction's regulations differ, they all account for situational risk and harm to individual data subjects and strongly encourage encryption.

Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?

AbstractThis article investigates the adequateness of data breach notification laws and the possible impact of a federal law in the United States. Based on the analysis of 445 notifications issued in 2014, three observations for law development are presented. First, the question about underreporting is raised and a possible option for facilitating its emergence is proposed. Second, the specification of the dates of the breach detection and of the breach itself are identified as essential to foster consumers' reaction. Finally, a stricter regulation of the content of the notification is suggested to avoid firms minimizing the actual risk.

Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?

AbstractThis article investigates the adequateness of data breach notification laws and the possible impact of a federal law in the United States. Based on the analysis of 445 notifications issued in 2014, three observations for law development are presented. First, the question about underreporting is raised and a possible option for facilitating its emergence is proposed. Second, the specification of the dates of the breach detection and of the breach itself are identified as essential to foster consumers' reaction. Finally, a stricter regulation of the content of the notification is suggested to avoid firms minimizing the actual risk.

Disclosure of personal information under risk of privacy shocks

Breaches of the security of personal data collected by firms are reported almost daily. Companies are under an increasing political pressure to notify individuals whose privacy as been breached. At the moment, we know virtually nothing about the behavioral impact of data breach notifications. We present the results of an experimental study designed to investigate how breach notifications change the individual's propensity to provide sensitive personal information to firms. In contrast to the theory (where breach notifications have no behavioral effect), our main result shows that notifications induce a sub-group of individuals to disclose less information to a firm, i.e. those with personally sensitive information.

Quantifying Key Characteristics of 71 Data Protection Laws

This research is the first ever systematic study that unlocks six paramount characteristics in the literal text of 71 Data Protection Laws (DPLs). The quantification fosters comparison of a potential federal U.S. law with DPLs in the rest of the world. It can also be used for empirical legal research in information security by linking the index or subsets to data concerning, for instance, deep packet inspection. This research is exploratory: adding more characteristics to the database is one of the key next steps for future research.There are some noteworthy initial results: only 5 out of 71 DPLs have penalties that deter companies for non-compliance. Also, compared to the U.S. states, few countries have data breach notification laws. Principal component analysis reveals more information. Characteristics can be grouped in two unobserved factors, which explain ‘basic characteristics’ across laws and ‘add ons’ to these characteristics.By summing these two factors a privacy index is constructed. Countries that are not known for their stringent privacy control such as Mauritius and Mexico cover a top position of this index. Member States of the European Union have DPLs with a privacy control score above average but no absolute top position.

Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?

While the discussion about a federal law on data breach notification is ongoing and a rash of large, costly data breaches has galvanized public interest in the issue, this paper investigates on the phenomenon of data breach notification letters in terms of their content. We explore the causal link between on one side state specific notification regimes, breached organisation industry-sectors and breach types that generate notifications and on the other side the type and timing of the communications issued by organisations. This will contribute to shed light on the ultimate resulting effects of the current set up of the data breach notification laws in US. In particular, based on the observed companies’ behaviour, do these laws act predominantly on the reputational fear of the breached organizations increasing company security measures or on the mitigation that customers can put into place once the communication is received? In order to perform such analysis we empirically answer to the questions below labeling a sample of letters according to the messages customers may perceive when they read them. Specifically, over 400 notifications issued in U.S. in 2014 are classified based on elements that can be isolated and analysed, e.g. (1) does the letter alarm the customer about possible consequences or does rather belittle the event (2) is the customer in the position to immediately identify the importance of such a missive, or can the letter mislead the addressee, who qualifies it as spam. The analysis of the content of the letters is also extended to the time span between the data breach and the delivery of the notification to the customer. According to these intentional choices made by organisations when composing and sending notifications, we are able to depict pitfalls and opportunities generated by the possible implementation of a federal data breach notification law in U.S. in opposition to the present state of the art. The research is innovative in presenting objective findings related to notification timing, notification style, and notification content more in general. It is based on 445 letters issued in 2014 in 4 States, representing more than 50% of Data Breaches reported in U.S. in the same year (783 according to ITRC - Identity Theft Resource Center).

The Significance of Mandatory Data Breach Warnings to Identity Crime

The relationship between data breaches and identity crime has been scarcely explored in current literature. However, there is an important relationship between the misuse of personal identification information and identity crime as the former is in many respects the catalyst for the latter. Data breaches are one of the ways in which this personal identification information is obtained by identity criminals, and thereby any response to data breaches is likely to impact the incidence of identity crime. Initiatives around data breach notification have become increasingly prevalent and are now seen in many State legislatures in the United States and overseas. The Australian Government is currently in the process of introducing mandatory data breach notification laws. This paper explores the introduction of mandatory data breach notification in Australia, and lessons learned from the experience in the US, particularly noting the link between data breaches and identity crime. The paper proposes that through the introduction of such laws, identity crimes are likely to be reduced. Keywords—identity crime; data breaches; mandatory breach reporting; privacy

To Notify or Not to Notify? Do Organizations Comply with U.S. Data Breach Notification Laws? An Empirical Study

To Notify or Not to Notify? Do Organizations Comply with U.S. Data Breach Notification Laws? An Empirical Study