Team for Research in
Ubiquitous Secure Technology

Do Data Breach Disclosure Laws Reduce Identity Theft?
Sasha Romanosky, Rahul Telang, Alessandro Acquisti

Citation
Sasha Romanosky, Rahul Telang, Alessandro Acquisti. "Do Data Breach Disclosure Laws Reduce Identity Theft?". Technical report, Carnegie Mellon University, 2010; http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1268926.

Abstract
Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce identity theft, their full effects have yet to be empirically measured. We use panel from the US Federal Trade Commission with state and time fixed effects regression to estimate the impact of data breach disclosure laws on identity theft from 2002 to 2007. We find that adoption of data breach disclosure laws have a marginal effect on the incidences of identity thefts and reduce the rate by just under 2%, on average. While this effect is marginal, reducing identity theft is only one means by which these laws can be evaluated: we appreciate that they may have other benefits such as reducing the average victim's losses or improving a firm's security and operational practices.

Electronic downloads

Citation formats  
  • HTML
    Sasha Romanosky, Rahul Telang, Alessandro Acquisti. <a
    href="http://www.truststc.org/pubs/669.html"
    ><i>Do Data Breach Disclosure Laws Reduce Identity
    Theft?</i></a>, Technical report,  Carnegie
    Mellon University, 2010;
    http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1268926.
  • Plain text
    Sasha Romanosky, Rahul Telang, Alessandro Acquisti. "Do
    Data Breach Disclosure Laws Reduce Identity Theft?".
    Technical report,  Carnegie Mellon University, 2010;
    http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1268926.
  • BibTeX
    @techreport{RomanoskyTelangAcquisti10_DoDataBreachDisclosureLawsReduceIdentityTheft,
        author = {Sasha Romanosky and Rahul Telang and Alessandro
                  Acquisti},
        title = {Do Data Breach Disclosure Laws Reduce Identity
                  Theft?},
        institution = {Carnegie Mellon University},
        year = {2010},
        note = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1268926},
        abstract = {Identity theft resulted in corporate and consumer
                  losses of $56 billion dollars in 2005, with about
                  30% of known identity thefts caused by corporate
                  data breaches. Many US states have responded by
                  adopting data breach disclosure laws that require
                  firms to notify consumers if their personal
                  information has been lost or stolen. While the
                  laws are expected to reduce identity theft, their
                  full effects have yet to be empirically measured.
                  We use panel from the US Federal Trade Commission
                  with state and time fixed effects regression to
                  estimate the impact of data breach disclosure laws
                  on identity theft from 2002 to 2007. We find that
                  adoption of data breach disclosure laws have a
                  marginal effect on the incidences of identity
                  thefts and reduce the rate by just under 2%, on
                  average. While this effect is marginal, reducing
                  identity theft is only one means by which these
                  laws can be evaluated: we appreciate that they may
                  have other benefits such as reducing the average
                  victim's losses or improving a firm's security and
                  operational practices. },
        URL = {http://www.truststc.org/pubs/669.html}
    }
    

Posted by Alessandro Acquisti on 29 Mar 2010.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.