Wednesday, June 11, 2008

Do Data Breach Disclosure Laws Reduce Identity Theft?

The answer is: apparently not.

Three Carnegie Mellon University authors have written a paper entitled Do Data Breach Disclosure Laws Reduce Identity Theft?, written for an upcoming Workshop on the Economics of Information Security at Dartmouth University:

"Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured (...) We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices." [Source:]

Earlier Library Boy posts on data breaches include:

Labels: , , ,

Bookmark and Share Subscribe
posted by Michel-Adrien at 9:23 am


Post a Comment

<< Home