Data breaches are putting our data at risk, so what is being done?
Brad Greenwood, professor of information systems and operations management and the Maximus Corporate Partner Professor of Business at George Mason University, explores if current laws are keeping us safe.
Brad N. Greenwood is a professor of information systems and operations management and holds the Maximus Corporate Partner Professorship at George Mason University. Previously, he served as an associate professor at the University of Minnesota’s Carlson School of Management and has also been part of the faculty at Temple University’s Fox School of Business and the University of Maryland’s Smith School of Business. Dr. Greenwood’s research focuses on the impacts of innovation, particularly how information from these innovations affects societal welfare in areas like healthcare and entrepreneurship. He is an Associate Editor at Management Science and his research has been published in numerous prestigious journals, including The Proceedings of the National Academy of Sciences, Administrative Science Quarterly, and Management Science, among others.
Efficacy of Breach Notifications Laws
Are you worried about the constant stream of companies that have your data, and are hacked? Well, you should be. With increasing reports of cyberattacks, all 50 states and the District of Columbia have enacted Breach Notification Laws, otherwise known as BNLs, which require companies to notify users when their data has been breached. The question is, does letting users know that their data has been breached make data safer? Or deter attacks in the future?
For our recent publication in The Review of Law & Economics, my co-author, Paul Vaaler from the University of Minnesota and I set out to answer this question.
Using data from the Privacy Rights Clearinghouse and Federal Trade Commission (FTC), we track state-by-state effects of BNLs as they were rolled out across the country from 2005 to 2019. Our results indicate, drumroll, that there has been no long-term decline in data breaches stemming from these laws. There has been no effect on the number of records stolen. There has been no effect on fraud. And there has been no effect on identity theft. Zero. Zip. Zilch.
Why would that be? The objective of BNLs is to encourage companies to make proactive investments in cybersecurity, thereby avoiding the embarrassment and reputational damage of admitting they were hacked. Yet, in an age where data breaches occur on a daily basis, it is more than evident that each individual breach is getting lost in the noise.
A more effective government-driven solution might involve an economic payoff for investing in cybersecurity or a penalty for inaction. That would hit companies where it matters most: the bottom line. Another possibility could be establishing a score system to rate companies’ cybersecurity readiness, sort of like a credit score. This would theoretically use the power of the consumer purse to reward cybersecurity leaders over laggards.
