Document Type
Article
Publication Date
2015
Recommended Citation
David Thaw,
Data Breach (Regulatory) Effects,
2015
Cardozo L. Rev. de Novo
151
(2015).
Available at:
https://scholarship.law.pitt.edu/fac_articles/155
Included in
Administrative Law Commons, Communications Law Commons, Computer Law Commons, Consumer Protection Law Commons, Databases and Information Systems Commons, Information Security Commons, Internet Law Commons, Law and Society Commons
Comments
Breach notification laws have been a major driver of data protection efforts in U.S. organizations for over a decade. This form of disclosure-based regulation exists in 47 of 50 U.S. states, as well as four other U.S. jurisdictions, but has yet to be adopted as a law of general applicability at the Federal level.
This Essay considers the effects the structure of existing disclosure-based cybersecurity regulation has on the efficacy of U.S. firms' cybersecurity measures. Drawing on previous empirical work and analysis of firm incentives, it suggests two modest conclusions about the most efficacious legal structures: 1) that any disclosure-based regulation should be part of a broader cybersecurity regulatory framework; and 2) that any risk-of-harm threshold triggering notification should bear a presumption in favor of notification. Based on these conclusions, I suggest a preliminary regulatory prescription for policymakers considering adoption or standardization of disclosure-based regulation in the data protection context.