Do Data Breach Disclosure Laws Reduce Identity Theft? (Updated)

In the United States, identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with up to 35 percent of known identity thefts caused by corporate data breaches. Many states have responded by adopting “data breach disclosure laws” that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce identity theft, their effect has yet to be empirically measured. We use panel data from the U.S. Federal Trade Commission to estimate the impact of data breach disclosure laws on identity theft from 2002 to 2009. We find that adoption of data breach disclosure laws reduce identity theft caused by data breaches by 6.1 percent, on average.

[1]  Jack L. Walker The Diffusion of Innovations among the American States , 1969, American Political Science Review.

[2]  Philip J. Cook,et al.  Public Safety Through Private Action: An Economic Assessment of Bids, Locks, and Citizen Cooperation , 2010 .

[3]  Joseph Simitian UCB Security Breach Notification Symposium March 6, 2009: How a Bill Becomes a Law, Really , 2009 .

[4]  Brian J. Cook,et al.  Full Disclosure: The Perils and Promise of Transparency , 2007, Perspectives on Politics.

[5]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[6]  C. Hoofnagle Identity Theft: Making the Known Unknowns Known , 2007 .

[7]  P. Schwartz,et al.  Notification of Data Security Breaches , 2006 .

[8]  Thomas M. Lenard,et al.  Much Ado about Notification , 2006 .

[9]  Bruce H. Kobayashi An Economic Analysis of the Private and Social Costs of the Provision of Cybersecurity and other Public Security Goods , 2006, Supreme Court Economic Review.

[10]  Myung S. Ko,et al.  THE IM P ACT OF INFORM A TION SECURITY BREACHES ON FINANCIAL PERFORMANCE OF THE BREACHED FIRMS: AN EMPIRICAL INVESTIG A TION , 2006 .

[11]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[12]  Bradford S. Jones,et al.  Beyond Logit and Probit: Cox Duration Models of Single, Repeating, and Competing Events for State Policy Adoption , 2005, State Politics & Policy Quarterly.

[13]  Scott Lobdell,et al.  Identity Theft , 2006 .

[14]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[15]  John J. Donohue,et al.  Guns, Crime, and the Impact of State Right-to-Carry Laws , 2004 .

[16]  Hashem Dezhbakhsh,et al.  The Deterrent Effect of Capital Punishment: Evidence from a "Judicial Experiment" , 2006 .

[17]  R. Gittings,et al.  Getting off Death Row: Commuted Sentences and the Deterrent Effect of Capital Punishment* , 2003, The Journal of Law and Economics.

[18]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[19]  Ian Ayres,et al.  Shooting Down the More Guns, Less Crime Hypothesis , 2002 .

[20]  Laura Dugan,et al.  Identifying Unit-Dependency and Time-Specificity in Longitudinal Analysis: A Graphical Methodology , 2002 .

[21]  G. Jin,et al.  The Effect of Information on Product Quality: Evidence from Restaurant Hygiene Grade Cards , 2002 .

[22]  Alan D. Mathios,et al.  The Impact of Mandatory Disclosure Laws on Product Choices: An Analysis of the Salad Dressing Market* , 2000, The Journal of Law and Economics.

[23]  Mark A. Cohen,et al.  Empirical Research on the Deterrence Effect of Environmental Monitoring and Enforcement , 2000 .

[24]  Dan A. Black,et al.  Do Right‐To‐Carry Laws Deter Violent Crime? , 1998, The Journal of Legal Studies.

[25]  G. Alan Tarr,et al.  Understanding State Constitutions , 1998 .

[26]  Steven D. Levitt,et al.  Measuring Positive Externalities from Unobservable Victim Precaution: An Empirical Analysis of Lojack , 1997 .

[27]  David B. Mustard,et al.  Crime, Deterrence, and Right‐to‐Carry Concealed Handguns , 1997, The Journal of Legal Studies.

[28]  J. Keen Slow down. , 1995, Journal of emergency nursing: JEN : official publication of the Emergency Department Nurses Association.

[29]  W. Kip Viscusi,et al.  Informational approaches to regulation , 1992 .

[30]  Steven Shavell,et al.  Individual Precautions to Prevent Theft: Private Versus Socially Optimalbehavior , 1990 .

[31]  Charles D. Kolstad,et al.  Ex Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes or Complements? , 1990 .

[32]  P Sheck,et al.  How a bill becomes a law. , 1989, Gastroenterology nursing : the official journal of the Society of Gastroenterology Nurses and Associates.

[33]  Philip J. Cook,et al.  The Demand and Supply of Criminal Opportunities , 1986, Crime and Justice.

[34]  Steven Shavell,et al.  A MODEL OF THE OPTIMAL USE OF LIABILITY AND SAFETY REGULATION , 1984 .

[35]  R. Posner The Federal Trade Commission , 1969 .

[36]  Albert D. Biderman,et al.  On Exploring the "Dark Figure" of Crime , 1967 .