Data breach notification laws

Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data,[1] to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.[2]Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.[3]

Such laws have been irregularly enacted in all 50 U.S. states since 2002. Currently, all 50 states have enacted forms of data breach notification laws.[4] There is no federal data breach notification law, despite previous legislative attempts.[5] These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information.[6] Similarly, multiple other countries, like the European Union General Data Protection Regulation (GDPR) and Australia's Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), have added data breach notification laws to combat the increasing occurrences of data breaches.[7]

The rise in data breaches conducted by both countries and individuals is evident and alarming, as the number of reported data breaches has increased from 421 in 2011, to 1,091 in 2016, and 1,579 in 2017 according to the Identity Theft Resource Center (ITRC).[8][9] It has also impacted millions of people and gained increasing public awareness due to large data breaches such as the October 2017 Equifax breach that exposed almost 146 million individual's personal information.[10]

  1. ^ Sen, Ravi; Borle, Sharad (2015-04-03). "Estimating the Contextual Risk of Data Breach: An Empirical Approach". Journal of Management Information Systems. 32 (2): 314–341. doi:10.1080/07421222.2015.1063315. ISSN 0742-1222. S2CID 2311182.
  2. ^ Bisogni, Fabio (2016). "Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?". Journal of Information Policy. 6: 154–205. doi:10.5325/jinfopoli.6.2016.0154. ISSN 2158-3897. JSTOR 10.5325/jinfopoli.6.2016.0154.
  3. ^ Acquisti, Alessandro; Friedman, Allan; Telang, Rahul (2006). "Is there a cost to privacy breaches? An event study". ICIS 2006 Proceeding.
  4. ^ Murciano-Goroff, Raviv (2019). "Do Data Breach Disclosure Laws Increase Firms; Investment in Securing their Digital Infrastructure?". Workshop on the Economics of Information Security: 1–39.
  5. ^ Garrison, Chlotia; Hamilton, Clovia (2019-01-02). "A comparative analysis of the EU GDPR to the US's breach notifications" (PDF). Information & Communications Technology Law. 28 (1): 99–114. doi:10.1080/13600834.2019.1571473. hdl:10535/10737. ISSN 1360-0834. S2CID 86668452.
  6. ^ "Security Breach Notification Laws". National Conference of State Legislatures. Retrieved 27 January 2019.
  7. ^ "What is GDPR, the EU's new data protection law?". GDPR.eu. 2018-11-07. Retrieved 2021-10-25.
  8. ^ Bisogni, Fabio; Asghari, Hadi (2020). "More Than a Suspect: An Investigation into the Connection Between Data Breaches, Identity Theft, and Data Breach Notification Laws". Journal of Information Policy. 10: 45–82. doi:10.5325/jinfopoli.10.2020.0045. ISSN 2381-5892. JSTOR 10.5325/jinfopoli.10.2020.0045. S2CID 226623656.
  9. ^ Romanosky, Sasha; Boudreaux, Benjamin (2020-08-26). "Private-Sector Attribution of Cyber Incidents: Benefits and Risks to the U.S. Government". International Journal of Intelligence and CounterIntelligence. 34 (3): 463–493. doi:10.1080/08850607.2020.1783877. ISSN 0885-0607. S2CID 235636491.
  10. ^ Ronaldson, Nicholas (2019-05-01). "HACKING: THE NAKED AGE CYBERCRIME, CLAPPER & STANDING, AND THE DEBATE BETWEEN STATE AND FEDERAL DATA BREACH NOTIFICATION LAWS". Northwestern Journal of Technology and Intellectual Property. 16 (4): 305. ISSN 1549-8271.