Do data breach disclosure laws reduce identity theft?

Journal of Policy Analysis and Management

Volumn 30, Issue 2, 2011, Pages 256-286

  Romanosky, Sasha ^a   Telang, Rahul ^a   Acquisti, Alessandro ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 79952376649     PISSN: 02768739     EISSN: 15206688     Source Type: Journal    
DOI: 10.1002/pam.20567     Document Type: Article

References (76)

1. Acquisti, A., Friedman, A., & Telang, R. (2006, June). Is there a cost to privacy breaches? An event study. Paper presented at the Fifth Workshop on the Economics of Information Security, University of Cambridge, England.
2. Assessing data security: Preventing breaches and protecting sensitive information. (2005). Hearing before the Committee on Financial Services, House of Representatives, 109th Congress.
3. Ayres, I., & Levitt, S. (1998). Measuring positive externalities from unobservable victim precautions: An empirical analysis of lojack. Quarterly Journal of Economics, 113, 43-77.
4. Baum, K. (2006, April). Identity theft, 2004. Special Report NCJ 212213. Washington, DC: Bureau of Justice Statistics. Retrieved December 16, 2010, from.
5. Baum, K. (2007, November). Identity theft, 2005. Special Report, NCJ 219411. Washington, DC: Bureau of Justice Statistics. Retrieved December 16, 2010, from.
6. Bertrand, M., Duflo, E., & Mullainathan, S. (2004). How much should we trust differences-in-differences estimates? Quarterly Journal of Economics, 119, 249-275.
7. Biderman, A. D., & Reiss, A. J., Jr. (1967). On exploring the "dark figure" of crime. Annals of the American Academy of Political and Social Science, 374, 1-15.
8. Black, D., & Nagin, D. (1998). Do right-to-carry laws deter violent crime? Journal of Legal Studies, 27, 209-219.
9. Brodkin, J. (2007, April 10). Victims of ChoicePoint data breach didn't take advantage of free offers. Network World. Retrieved September 12, 2009, from.
10. Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11, 431-448.
11. Cate, F. (2005, February 27). Another notice isn't answer. USA Today. Retrieved October 15, 2009, from.
12. Cate, F. (2009, March). Comparative approaches to security breaches. Paper presented at the symposium on Security Breach Notification Six Years Later: Lessons Learned about Identity Theft and Directions for the Future, Berkeley Center for Law and Technology, Berkeley, CA. Retrieved December 16, 2010, from.
13. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and Internet security developers. International Journal of Electronic Commerce, 9, 70-104.
14. Cleary, J., & Shapiro, E. (1999). The effects of "shall-issue" concealed-carry licensing laws: A literature review. Information brief, Minnesota House of Representatives Research Department, St. Paul, MN.
15. Cohen, M. A. (2000). Empirical research on the deterrent effect of environmental monitoring and enforcement. Environmental Law Reporter, 30, 10245-10252.
16. Cook, P. (1986). The demand and supply of criminal opportunities. Crime and Justice, 7, 1-27.
17. Cook, P., & MacDonald, J. (2010). Public safety through private action: An economic assessment of BIDs, locks, and citizen cooperation. NBER Reporter, 1, Conferences.
18. Data Breaches and Identity Theft. (2005). Prepared statement of the Federal Trade Commission before the Committee on Commerce, Science, and Transportation, U.S. Senate, 109th Congress.
19. Dezhbakhsh, H., & Shepherd, J. (2004). The deterrent effect of capital punishment: Evidence from a "judicial experiment." American Law and Economics Association Annual Meetings. Retrieved December 20, 2010, from.
20. Donohue, J. (2004). Guns, crime, and the impact of state right-to-carry laws. Fordham Law Review 73, 632-652.
21. Donohue, J., & Ayres, I. (2003). Shooting down the "more guns, less crime" hypothesis. Stanford Law Review, 51, 1193-1312.
22. Dugan, L. (2002). Identifying unit-dependency and time-specificity in longitudinal analysis: A graphical methodology. Journal of Quantitative Criminology, 18, 213-237.
23. Federal Trade Commission. (2003). FTC identity theft survey report: 2003. Washington, DC: Federal Trade Commission and Synovate.
24. Federal Trade Commission. (2007a). Consumer fraud and identity theft complaint data: January-December 2006. Washington, DC: Author.
25. Federal Trade Commission. (2007b). FTC identity theft survey report: 2006. Washington, DC: Federal Trade Commission and Synovate.
26. Fung, A., Graham, M., & Weil, D. (2007). Full disclosure: The perils of and promise of transparency. Cambridge, MA: Cambridge University Press.
27. Givens, B. (2000). Identity theft: How it happens, its impact on victims, and legislative solutions. Written testimony for the U.S. Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, 109th Congress.
28. Gordon, G. R., Rebovich, D. J., Choo, K., & Gordon, J. B. (2007). Identity fraud trends and patterns: Building a data-based foundation for proactive enforcement. Utica, NY: Center for Identity Management and Information Protection (CIMIP), Utica College.
29. Government Accountability Office. (2006). Preventing and responding to improper disclosures of personal information: Statement of David M. Walker, Comptroller General of the United States. Testimony before the Committee on Government Reform, House of Representatives. GAO publication GAO-06-833T. Washington, DC: Author.
30. Government Accountability Office. (2007). Data breaches are frequent, but evidence of resulting identity theft is limited; however, the full extent is unknown. GAO publication GAO-07-737. Washington, DC: Author.
31. H.B. 732, 59th Legislature, State of Montana. (2005) (enacted). Retrieved December 16, 2010, from.
32. Hoofnagle, C. J. (2007). Identity theft: Making the known unknowns known. Harvard Journal of Law and Technology, 21, 97-122.
33. Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information. (2005). Hearing before the Committee on Banking, Housing, and Urban Affairs, Senate, 109th Congress.
34. Illinois House Transcript. (2005, April 12). 94th General Assembly, Regular Session, 38th Legislative Day.
35. Javelin Research. (2006, January). Identity fraud survey report: 2006. Pleasanton, CA: Author.
36. Javelin Research. (2007, February). Identity fraud survey report: 2007. Pleasanton, CA: Author.
37. Javelin Research. (2010, February). 2010 Identity fraud survey report: Identity fraud continues to rise-new accounts fraud drives increase; consumer costs at an all time low. Pleasanton, CA: Author.
38. Jin, G. Z., & Leslie, P. (2003). The effect of information on product quality: Evidence from restaurant hygiene grade cards. Quarterly Journal of Economics, 118, 409-451.
39. Jones, B. S., & Branton, R. P. (2005). Beyond logit and probit: Cox duration models of single, repeating, and competing events for state policy adoption. State Politics and Policy Quarterly, 5, 420-443.
40. Kaplan, D. (2008, February 20). TJX reports soaring profits one year after breach disclosure. SC Magazine. Retrieved October 20, 2009, from.
41. Ko, M., & Dorantes, C. (2006). The impact of information security breaches on financial performance of the breached firms: An empirical investigation. Journal of Information Technology Management, 17, 13-22.
42. Kobayashi, B. (2005). An economic analysis of the private and social costs of the provision of cybersecurity and other public security goods. George Mason University School of Law Working Papers Series.
43. Kolstad, C., Ulen, T., & Johnson, G. (1990). Ex post liability for harm vs. ex ante safety regulation: Substitutes or complements? American Economic Review, 80, 888-901.
44. Lenard, T. M., & Rubin, P. H. (2005). Slow down on data security legislation. Progress Snapshot 1.9. Washington, DC: Progress & Freedom Foundation.
45. Lenard, T. M., & Rubin, P. H. (2006). Much ado about notification. Regulation, 29, 44-50.
46. Loewenstein, G., John, L., & Volpp, K. (in press). Using decision errors to help people help themselves. In E. Shafir (Ed.), The behavioral foundations of policy. Princeton, NJ: Princeton University Press.
47. Lott, J. R., Jr., & Mustard, D. B. (1997). Crime, deterrence and the right-to-carry concealed handguns. Journal of Legal Studies, 26, 1-68.
48. Magat, W. A., & Viscusi, W. K. (1992). Informational approaches to regulation. Cambridge, MA: MIT Press.
49. Mathios, A. (2000). The impact of mandatory disclosure laws on product choices: An analysis of the salad dressing market. Journal of Law and Economics, 43, 651-677.
50. Michigan Senate Journal. (2005). Regular Session No. 106.
51. Minnesota Commerce Committee (2006) Update. (2006, April 3). Minnesota Senate Committee on Commerce, Eighty-Fourth Legislature.
52. Mocan, H. N., & Gittings, K. (2003). Getting off death row: Commuted sentences and the deterrent effect of capital punishment. Journal of Law and Economics, 46, 453-478.
53. Nakashima, E., & O'Harrow, R., Jr.. (2008, February 22). LexisNexis parent set to buy ChoicePoint. Washington Post. Retrieved November 1, 2009, from.
54. Neal, T. (2005). Learning the game: How the legislative process works. Washington, DC: National Conference of State Legislatures.
55. Personal Internet Security. (2007). House of Lords, Science and Technology Committee, 5th Report of Session 2006-07, HL Paper 165-I.
56. Ponemon Institute. (2005, September). National survey on data security breach notification. Traverse City, MI: Author.
57. Ponemon Institute. (2008, March). Consumers' report card on data breach notification. Traverse City, MI: Author.
58. Ranger, S. (2007, September 3). Data breach laws make companies serious about security. Retrieved September 7, 2009, from.
59. Robinson, P. H., & Darley, J. M., (2003). The role of deterrence in the formulation of criminal law rules: At its worst when doing its best. Georgetown Law Journal, 91, 949-1002.
60. Romanosky, S., Sharp, R., & Acquisti, A. (2010). Data breaches and identity theft: When is mandatory disclosure optimal? Paper presented at the Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard University, Cambridge, MA.
61. Samuelson Law, Technology, & Public Policy Clinic. (2007). Security breach notification laws: Views from chief security officers. Unpublished manuscript, University of California-Berkeley School of Law.
62. Saskia, K. (2002). SB 1386: Bill analysis. Retrieved December 16, 2010, from.
63. S.B. 2290. (2006). 23d Legislature, State of Hawaii (enacted). Retrieved December 16, 2010, from.
64. Securing Consumers' Data: Options Following Security Breaches. (2005). Hearing before the Subcommittee on Commerce, Trade, and Consumer Protection of the Committee on Energy and Commerce, House of Representatives, 109th Congress.
65. Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use. (2005). Hearing before the Committee on the Judiciary, Senate, 109th Congress.
66. Securities and Exchange Commission. (2008). Part 248-Regulation s-p: Privacy of consumer financial information and safeguarding personal information; proposed rule. Retrieved November 11, 2008, from.
67. Schwartz, P., & Janger, E. (2007). Notification of data security breaches. Michigan Law Review, 105, 913-984.
68. Shavell, S. (1984). A model of the optimal use of liability and safety regulation. RAND Journal of Economics, 15, 271-280.
69. Shavell, S. (1991). Individual precautions to prevent theft: Private versus socially optimal behavior. International Review of Law and Economics, 11, 123-132.
70. Simitian, J. (2009a). How a bill becomes a law, really. Berkeley Technology Law Journal, 24, 1009-1017.
71. Simitian, J. (2009b, March). How a bill becomes a law, really. David Nelson Memorial Keynote Address at the symposium on Security Breach Notification Six Years Later: Lessons Learned about Identity Theft and Directions for the Future, Berkeley Center for Law & Technology, Berkeley, CA. Retrieved December 16, 2010, from.
72. Tarr, G. A. (2000). Understanding state constitutions. Princeton, NJ: Princeton University Press.
73. Telang, R., & Wattal, S. (2007). An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Transactions on Software Engineering, 33, 544-557.
74. Vijayan, J. (2008, January 29). ChoicePoint to pay $10M to settle breach-related lawsuit. Network World. Retrieved November 1, 2009, from.
75. Walker, J. (1969). The diffusion of innovations among the American states. American Political Science Review, 63, 880-899.
76. Wolfers, J., & Donohue, J. J. (2006). Uses and abuses of empirical evidence in the death penalty debate. CEPR Discussion Paper No. 5493. London: CEPR.