Data Breach (Regulatory) Effects

David Thaw, University of Pittsburgh, School of Law

Symposium

Abstract

Breach notification laws have been a major driver of data protection efforts in U.S. organizations for more than a decade. This form of disclosure-based regulation exists in 47 of 50 U.S. states, as well as four other U.S. jurisdictions, but has yet to be adopted as a law of general applicability at the federal level. This Essay considers the effects the structure of existing disclosure-based cybersecurity regulation has on the efficacy of U.S. firms’ cybersecurity measures. Drawing on previous empirical work and analysis of firm incentives, it suggests two modest conclusions about the most efficacious legal structures: (1) that any disclosurebased regulation should be part of a broader cybersecurity regulatory framework and (2) that any risk-of-harm threshold triggering notification should bear a presumption in favor of notification. Based on these conclusions, I suggest a preliminary regulatory prescription for policymakers considering adoption or standardization of disclosurebased regulation in the data protection context.