All For Naught: An Empirical Examination of the Impact of Breach Notification Laws

Abstract

In this work, I examine the impact that breach notification laws have had on the incidence rate of breaches of consumer data. Since 2003, every US state has passed some form of breach notification requirement. In doing so, the stated goal has been to create a market for consumer privacy, wherein consumers may select into interacting with firms that are more responsible stewards of their data. However, limited empirical work has been devoted to determining the impact of these legislative efforts. Results from a multi-site difference in difference estimation indicate no significant change in the number of breaches or the number of breached records after the passage of such statutes. Results further suggest no demonstrable long-term change in the number of identity thefts or claims of fraud, i.e., a precisely estimated null. This absence of effect persists when considering legislative efforts that create private rights of action, require notification of the attorney general, and more; and suggests the need to consider different ways to approach consumer privacy. I propose one such alternative, standards setting by an administrative agency which creates safe harbors for conforming firms.