Do US State Breach Notification Laws Decrease Firm Data Breaches?

References

Acquisti, Alessandro, and Christina Fong. 2020. “An Experiment in Hiring Discrimination via Online Social Networks.” Management Science 66 (3): 1005–24. https://doi.org/10.1287/mnsc.2018.3269.Search in Google Scholar

Acquisti, Alessandro, Laura Brandimarte, and George Loewenstein. 2020. “Secrets and Likes: The Drive for Privacy and the Difficulty of Achieving it in the Digital Age.” Journal of Consumer Psychology 30 (4): 736–58. https://doi.org/10.1002/jcpy.1191.Search in Google Scholar

Ahammer, Alexander, Martin Halla, and Nicole Schneeweis. 2020. “The Effect of Prenatal Maternity Leave on Short- and Long-Term Child Outcomes.” Journal of Health Economics 70: 102250. https://doi.org/10.1016/j.jhealeco.2019.102250.Search in Google Scholar

Allison, Paul D., and Richard P. Waterman. 2002. “Fixed–Effects Negative Binomial Regression Models.” Sociological Methodology 32 (1): 247–65. https://doi.org/10.1111/1467-9531.00117.Search in Google Scholar

Anderson, Keith B. 2019. “Mass-Market Consumer Fraud in the United States: A 2017 Update.” Washington: US Federal Trade Commission (accessed August 1, 2023). https://www.ftc.gov/system/files/documents/reports/mass-market-consumer-fraud-united-states-2017-update/p105502massmarketconsumerfraud2017report.pdf Search in Google Scholar

Angrist, Joushua D., and Jörn-Steffen Pischke. 2008. Mostly Harmless Econometrics: An Empiricist’s Companion. Princeton: Princeton University Press.10.2307/j.ctvcm4j72Search in Google Scholar

Attias. 2017. Attias v. Carefirst, Inc., 865 F.3d 620.Search in Google Scholar

Autor, David H. 2003. “Outsourcing at Will: The Contribution of Unjust Dismissal Doctrine to the Growth of Employment Outsourcing.” Journal of Labor Economics 21 (1): 1–42. https://doi.org/10.1086/344122.Search in Google Scholar

Autor, D., Frank Levy, and Richard J. Murnane. 2003. “The Skill Content of Recent Technological Change: An Empirical Exploration.” Quarterly Journal of Economics 118 (4): 1279–333. https://doi.org/10.1162/003355303322552801.Search in Google Scholar

Ayyagari, Ramakrishna. 2012. “An Exploratory Analysis of Data Breaches from 2005–2011: Trends and Insights.” Journal of Information Privacy and Security 8 (2): 33–56. https://doi.org/10.1080/15536548.2012.10845654.Search in Google Scholar

Baker, Tom, and Sean J. Griffith. 2007. “The Missing Monitor in Corporate Governance: The Directors’ & Officers’ Liability Insurer.” The Georgetown Law Journal 95: 1795–842.10.2139/ssrn.946309Search in Google Scholar

Baker, Andrew C., David F. Larcker, and Charles C. Y. Wang. 2022. “How Much Should We Trust Staggered Difference-in-Differences Estimates.” Journal of Financial Economics 144 (2): 370–95. https://doi.org/10.1016/j.jfineco.2022.01.004.Search in Google Scholar

Becker, Gary. 1968. “Crime and Punishment: An Economic Approach.” Journal of Political Economy 76 (2): 169–217. https://doi.org/10.1086/259394.Search in Google Scholar

Ben-Shahar, Omri, and Carl E. Schneider. 2011. “The Failure of Mandated Disclosure.” University of Pennsylvania Law Review 159 (3): 647–749.Search in Google Scholar

Burtch, Gordon, Seth Carnahan, and Brad N. Greenwood. 2018. “Can You Gig It? An Empirical Examination of the Gig-Economy and Entrepreneurial Activity.” Management Science 64 (12): 5497–520. https://doi.org/10.1287/mnsc.2017.2916.Search in Google Scholar

Callaway, Brantly, and Pedro H. C. Sant’Anna. 2021. “Difference-in-Differences With Multiple Time Periods.” Journal of Econometrics 225 (2): 200–30, https://doi.org/10.1016/j.jeconom.2020.12.001.Search in Google Scholar

Carnahan, Seth. 2017. “Blocked But Not Tackled: Who Founds New Firms When Rivals Dissolve?” Strategic Management Journal 38 (11): 2189–212. https://doi.org/10.1002/smj.2653.Search in Google Scholar

Chesney, Robert. 2021. “Cybersecurity Law, Policy, and Institutions (version 3.1).” In University of Texas Law, Public Law Research Paper No. 716. University of Texas Law School: Austin.10.2139/ssrn.3547103Search in Google Scholar

Collins, J. Carlton. 2019. “Check on Data Breaches at the Privacy Rights Clearinghouse.” Journal of Accountancy 228 (3): 67.Search in Google Scholar

Computer World. 2016. “Biggest Hack of 2016: 412 Million Friendfinder Networks Accounts Exposed.” November 14. Needham: Computer World (accessed August 1, 2023). https://www.computerworld.com/article/3141290/biggest-hack-of-2016-412-million-friendfinder-network-accounts-exposed.html Search in Google Scholar

Cooper, James C., and Bruce H. Kobayashi. 2022. “Unreasonable: A Strict Liability Solution to the FTC’s Data Security Problem.” Michigan Technology Law Review 28 (2): 257–304.10.36645/mtlr.28.2.unreasonableSearch in Google Scholar

DataBreaches.net. 2021. “Annotated Data Breach Incidents Archive.” DataBreaches.net (Formerly PHIPrivacy.net). https://www.databreaches.net/category/breach-reports/ (accessed August 1, 2023).Search in Google Scholar

Dynes, Adam M., and John B. Holbein. 2020. “Noisy Retrospection: The Effect of Party Control on Policy Outcomes.” American Political Science Review 114 (1): 237–57. https://doi.org/10.1017/s0003055419000649.Search in Google Scholar

Edwards, Benjamin, Steven Hofmeyr, and Stephanie Forrest. 2016. “Hype and Heavy Tails: A Closer Look at Data Breaches.” Journal of Cybersecurity 2 (1): 3–14. https://doi.org/10.1093/cybsec/tyw003.Search in Google Scholar

Equifax. 2019. In re Equifax. 362 F. Supp. 3d 1295.Search in Google Scholar

FAA. 2021. “Airline Service Quality Performance System.” Washington: US Federal Aviation Aministration (accessed February 1, 2023). https://aspm.faa.gov/aspmhelp/index/Airline_Service_Quality_Performance_(ASQP).html Search in Google Scholar

Faulkner, Brandon. 2007. “Hacking Into Data Breach Notification Laws.” Florida Law Review 59: 1097.Search in Google Scholar

Franco, Annie, Neil Malhotra, and Gabor Simonovits. 2014. “Publication Bias in the Social Sciences: Unlocking the File Drawer.” Science 345 (6203): 1502–5. https://doi.org/10.1126/science.1255484.Search in Google Scholar

Freeman, Jody. 2000. “The Private Role in the Public Governance.” NYU Law Review 75: 543.Search in Google Scholar

FTC. 2021. “Consumer Sentinel Network Data Book 2021.” Washington: US Federal Trade Commission https://www.ftc.gov/reports/consumer-sentinel-network-data-book-2021 (accessed August 1, 2023).Search in Google Scholar

Galaria. 2016. Galaria v. Nationwide Mutual Insurance Company, No. 15-3386.Search in Google Scholar

Gelman, Andrew, and John Carlin. 2014. “Beyond Power Calculations: Assessing Type S (Sign) and Type M (Magnitude) Errors.” Perspectives on Psychological Science 9 (6): 641–51.10.1177/1745691614551642Search in Google Scholar

Goel, Sanjay, and Hany A. Shawky. 2014. “The Impact of Federal and State Notification Laws on Security Breach Announcements.” Communications of the Association for Information Systems 34 (1): 3.10.17705/1CAIS.03403Search in Google Scholar

Goldfarb, Brent, and Andrew A. King. 2015. “Scientific Apophenia in Strategic Management Research: Significance Tests & Mistaken Inference.” Strategic Management Journal 37 (1): 167–76. https://doi.org/10.1002/smj.2459.Search in Google Scholar

Goodman-Bacon, A. 2021. “Difference-in-Differences With Variation in Treatment Timing.” Journal of Econometrics 225 (2): 254–77. https://doi.org/10.1016/j.jeconom.2021.03.014.Search in Google Scholar

Guardian. 2013. “Did Your Adobe Password Leak? Now You and 150m Others Can Check.” November 7. London: The Guardian (accessed August 1, 2023). https://www.theguardian.com/technology/2013/nov/07/adobe-password-leak-can-check Search in Google Scholar

Gupta, Abhishek. 2018. “The Evolution of Fraud: Ethical Implications in the Age of Largescale Data Breaches and Widespread Artificial Intelligence Solutions Deployment.” International Telecommunication Union Journal (ITC Discoveries) (1): 1–7.Search in Google Scholar

Hartman, Erin, and F. Daniel Hidalgo. 2018. “An Equivalence Approach to Balance and Placebo Tests.” American Journal of Political Science 62 (4): 1000–13. https://doi.org/10.1111/ajps.12387.Search in Google Scholar

HIPAA. 2021. “Breach Reporting Tool.” Washington: US Department of Health and Human Services Office of Civil Rights (accessed February 1, 2023). https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf Search in Google Scholar

Horizon. 2017. In re Horizon Healthcare Services Inc. Data Breach, 846 F.3d 625.Search in Google Scholar

Hutton. 2018. Hutton v. Nat. Bd. of Examiners in Optometry, Inc. 2018. 892 F. 3d 613, No. 17-1506.Search in Google Scholar

IAPP. 2021. “U.S. State Data Breach Lists (Listing States With Breach Publication Websites).” Portsmouth: International Association of Privacy Professionals (accessed August 1, 2023). https://iapp.org/resources/article/u-s-state-data-breach-lists/ Search in Google Scholar

IBM. 2021. “Cost of a Data Breach Report 2021.” https://www.ibm.com/security/data-breach (accessed August 1, 2023).10.1016/S1361-3723(21)00082-8Search in Google Scholar

Irshad, Shareen, and Tariq Rahim Soomro. 2018. “Identity Theft and Social Media.” International Journal of Computer Science and Network Security 18 (1): 43–55.Search in Google Scholar

ITech. 2021. “Facebook Data Breach 2021 Exposes Personal Info of 1.5 Billion Users: 2 Tools to Check if Your Data Have Been Leaked.” October 7. New York: ITech Post. Tech Times LLC (accessed August 1, 2023). https://www.itechpost.com/articles/107257/20211007/facebook-data-breach-2021-exposes-personal-info-1-5-billion.htm Search in Google Scholar

Joerling, Jill. 2010. “Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data.” Washington University Journal of Law & Policy 32: 467–88.Search in Google Scholar

Karyda, Maria, and Lilian Mitrou. 2016. “Data Breach Notification: Issues and Challenges for Security Management.” In MCIS Proceedings. Paphos, Cyrus: Mediterranean Conference on Information Systems (accessed August 1, 2023). https://aisel.aisnet.org/mcis2016/60/ Search in Google Scholar

Katz. 2012. Katz v. Pershing, LLC, 672 F.3d 64.10.1080/09668136.2012.701389Search in Google Scholar

Kemp, Steven, David Buil-Gil, Fernando Mirò-Llinares, and Nicholas Lord. 2023. “When Do Businesses Report Cybercrime? Findings From a UK Study.” Ciminology & Criminal Justice 23 (3): 468–89.10.1177/17488958211062359Search in Google Scholar

Kesari, Aniket. 2022a. “Do Data Breach Notification Laws Reduce Medical Identity Theft? Evidence From Consumer Complaints Data.” Journal of Empirical Legal Studies 19 (4): 1222–52. https://doi.org/10.1111/jels.12331.Search in Google Scholar

Kesari, Aniket. 2022b. “Do Data Breach Notifications Work?” Working Paper. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4164674 (accessed August 1, 2023).10.2139/ssrn.4164674Search in Google Scholar

Kosseff, Jeff. 2017. “Defining Cybersecurity Law.” Iowa Law Review 103: 985–1031.10.1002/9781119231899Search in Google Scholar

Krottner. 2010. Krottner v. Starbucks Corp, 628 F. 3d 1139, No. 09-35823.Search in Google Scholar

Laube, Stefan, and Rainer Böhme. 2016. “The Economics of Mandatory Security Breach Reporting to Authorities.” Journal of Cybersecurity 2 (1): 29–41. https://doi.org/10.1093/cybsec/tyw002.Search in Google Scholar

Lewert. 2016. Lewert v. PF Chang’s China bistro, Inc., 819 F.3d 963.Search in Google Scholar

McCaskey, Kelly, and Carlisle Rainey. 2015. “Substantive Importance and the Veil of Statistical Significance.” Statistics, Politics, and Policy 6 (1–2): 77–96.10.1515/spp-2015-0001Search in Google Scholar

McNamara, Gerry, Paul M. Vaaler, and Cynthia Devers. 2003. “Same as it Ever Was: The Search for Evidence of Increasing Hypercompetition.” Strategic Management Journal 24 (3): 261–78. https://doi.org/10.1002/smj.295.Search in Google Scholar

Nieuwesteeg, Bernold. 2017. “To Notify or Not to Notify? Do Organizations Comply With U.S. Data Breach Notification Laws? An Empirical Study.” Working Paper. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2431174 (accessed August 1, 2023).Search in Google Scholar

Needles, Sara A. 2009. “The Data Game: Learning to Love the State-Based Approach to Data Breach Notification Law.” North Carolina Law Review 88: 267–310.Search in Google Scholar

NCSL. 2021. “Security Breach Notification Laws.” Washington: National Conference of State Legislatures (accessed August 1, 2023). https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx#1 Search in Google Scholar

Park, Sangchul. 2019. “Why Information Security Law Has Been Ineffective in Addressing Security Vulnerabilities: Evidence From California Data Breach Notifications and Relevant Court and Government Records.” International Review of Law and Economics 58: 132–45. https://doi.org/10.1016/j.irle.2019.03.007.Search in Google Scholar

Perkins. 2021. “Security Breach Notification Chart.” Seattle: Perkins-Coie Law Firm (accessed August 1, 2023). https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html Search in Google Scholar

Peters, Rachel. 2014. “So You’ve Been Notified, Now What: The Problem With Current Data-Breach Notification Laws.” Arizona Law Review 56 (4): 1171–202.Search in Google Scholar

Picanso, Kathryn E. 2006. “Protecting Information Security Under a Uniform Data Breach Notification Law.” Fordham Law Review 75 (1): 355–90.Search in Google Scholar

PRC. 2022. “Privacy Rights Clearinghouse.” San Diego (accessed August 1, 2023). https://privacyrights.org/ Search in Google Scholar

Raval, Devesh. 2020. “Which Communities Complain to Policymakers? Evidence From Consumer Sentinel.” Economic Inquiry 58 (4): 1628–42. https://doi.org/10.1111/ecin.12838.Search in Google Scholar

Resnick. 2012. Resnick v. Avmed, Inc, 693 F. 3d 1317.Search in Google Scholar

Rode, Lilia. 2006. “Database Security Breach Notification Statutes: Does Placing the Responsibility on the True Victim Increase Data Security.” Houston Law Review 43 (5): 1597–634.Search in Google Scholar

Romanosky, Sasha, Rahul Telang, and Alessandro Acquisti. 2011. “Do Data Breach Disclosure Laws Reduce Identity Theft?” Journal of Policy Analysis and Management 30 (2): 256–86. https://doi.org/10.1002/pam.20567.Search in Google Scholar

Rudolph. 2019. Rudolph v. Hudsons Bay Co., No. 18 cv 8472.Search in Google Scholar

Schwarcz, Daniel, Josephine Wolff, and Daniel W. Woods. 2023. “How Privilege Undermines Cybersecurity.” 36 Harvard Journal of Law & Technology (2): 421–485.Search in Google Scholar

SEC. 2018. “Commission Statement and Guidance on Public Company Cybersecurity Disclosures.” Release Nos. 33-10459; 34-82746. February 26. Washington: US Securities and Exchange Commission.Search in Google Scholar

SEC. 2020. Cybersecurity and Resiliency Observations. Guidance From the Office of Compliance Inspections and Enforcement. Washington: US Securities and Exchange Commission.Search in Google Scholar

SEC. 2021. “Office of Credit Ratings.” Washington: US Securities and Exchange Commission. https://www.sec.gov/page/ocr-section-landing.Search in Google Scholar

SEC. 2023. “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.” Washington: US Securities and Exchange Commission https://www.sec.gov/news/press-release/2023-139 (accessed August 1, 2023).Search in Google Scholar

Silva, J. M. C. Santos, and Silvana Tenreyro. 2006. “The Log of Gravity.” The Review of Economics and Statistics 88 (4): 641–58. https://doi.org/10.1162/rest.88.4.641.Search in Google Scholar

Silva, J. M. C. Santos, and Silvana Tenreyro. 2011. “Further Simulation Evidence on the Performance of the Poisson Pseudo-Maximum Likelihood Estimator.” Economics Letters 112 (2): 220–2. https://doi.org/10.1016/j.econlet.2011.05.008.Search in Google Scholar

Solove, Daniel J., and Paul M. Schwartz. 2019. Privacy Law Fundamentals, 6th ed. Portsmouth: International Association of Privacy Professionals.Search in Google Scholar

Stata. 2019. Stata Version 16.1. College Station: StataCorp.Search in Google Scholar

Steel, Chad M. S. 2019. “Stolen Identity Valuation and Market Evolution on the Dark Web.” International Journal of Cyber Criminology 13 (1): 70–83.Search in Google Scholar

Stevens, Gina. 2012. Data Security Breach Notification Laws. Washington: Congressional Research Service.Search in Google Scholar

Stevens, Tim. 2015. Cyber Security and the Politics of Time. Cambridge: Cambridge University Press.10.1017/CBO9781316271636Search in Google Scholar

Tom, Jacqueline May. 2010. “A Simple Compromise: The Need for a Federal Data Breach Notification Law.” St. John’s University Law Review 84 (4): 1569–603.Search in Google Scholar

Walker, Estaban, and Amy S. Nowacki. 2011. “Understanding Equivalence and Noninferiority Testing.” Journal of General Internal Medicine 26 (2): 192–6. https://doi.org/10.1007/s11606-010-1513-8.Search in Google Scholar

Weiss, N. Eric, and Rena S. Miller. 2015. The Target and Other Financial Data Breaches: Frequently Asked Questions. Washington: Congressional Research Service.Search in Google Scholar

Winn, Jane K. 2009. “Are ‘Better’ Security Breach Notification Laws Possible?” Berkeley Technology Law Journal 24: 1133.Search in Google Scholar

Wolf, Josephine. 2018. “Why It’s So Hard to Punish Companies for Data Breaches.” October 16. New York Times.Search in Google Scholar

Zamoff, Mitchell, Brad N. Greenwood, and Gordon Burtch. 2022. “Who Watches the Watchmen: Evidence of the Effect of Body-Worn Cameras on New York City Policing.” Journal of Law, Economics, and Organization 38 (1): 161–95. https://doi.org/10.1093/jleo/ewab026.Search in Google Scholar