from the Kansas Fed
this post authored by Richard J. Sullivan and Jesse Leigh Maniff
Data breaches, which expose sensitive data often used for payment fraud and identity theft, have recently worsened in the United States. Exposed records provide essential data for identity thieves, who in 2014 victimized 17.6 million people in the United States (Harrell). As a consequence, policymakers are placing greater emphasis on procedures to protect consumers from harm.
Breach notification laws are one such approach. Forty-seven state laws and some sector-specific federal laws already require organizations suffering a breach to disclose the incident and notify consumers if their data were exposed. In theory, breach notification laws serve two purposes important to public policy. First, they provide an incentive for organizations to protect sensitive data, as publicly disclosed security failures may harm their reputation and trigger costly remediation activities. Second, they inform individuals whose records were exposed, allowing them to react quickly to mitigate potential damages.
Research has shown that identity theft declines after a state adopts a data breach notification law (Romanosky and others). Research is less conclusive regarding how specific provisions in these laws might affect identity theft. In this article, we study recent identity theft complaints to investigate how provisions of state data breach notification laws affect identity theft. We find five provisions in notification laws associated with less identity theft. We also find three provisions associated with more identity theft. These results may help guide public policy concerning breach notifications to protect the public after a breach and encourage organizations to improve data security.
[click on image below to continue reading]
Source: https://www.kansascityfed.org/~/media/ files/ publicat/ econrev/ econrevarchive/ 2016/ 1q16sullivanmaniff.pdf
