Data breach notification laws

Last updated

Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, [1] to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security. [2] Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft. [3]

Contents

Such laws have been irregularly enacted in all 50 U.S. states since 2002. Currently, all 50 states have enacted forms of data breach notification laws. [4] There is no federal data breach notification law, despite previous legislative attempts. [5] These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information. [6] Similarly, multiple other countries, like the European Union General Data Protection Regulation (GDPR) and Australia's Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), have added data breach notification laws to combat the increasing occurrences of data breaches. [7]

The rise in data breaches conducted by both countries and individuals is evident and alarming, as the number of reported data breaches has increased from 421 in 2011, to 1,091 in 2016, and 1,579 in 2017 according to the Identity Theft Resource Center (ITRC). [8] [9] It has also impacted millions of people and gained increasing public awareness due to large data breaches such as the October 2017 Equifax breach that exposed almost 146 million individual's personal information. [10]

Australia

On 2018, Australia Privacy Amendment (Notifiable Data Breaches) Act 2017 went into effect. [11] This amended the Privacy Act 1988 (Cth), which had established a notification system for data breaches involving personal information that lead to harm. Now, entities with existing personal information security obligations under the Australian Privacy Act are required to notify the Office of Australian Information Commissioner (OAIC) and affected individuals of all “eligible data breaches.” [12] The amendment is coming off large data breaches experiences in Australia, such as the Yahoo hack in 2013 involving thousands of government officials and the data breach of NGO Australian Red Cross releasing 550,000 blood donor's personal information.

Criticism of the data breach notification include: the unjustified exemption of certain entities such as small businesses and the Privacy Commissioner not required to post data breaches in one permanent place to be used as data for future research. In addition, notification obligations are not consistent at a state level. [13]

China

In mid-2017, China adopted a new Cyber security Law, which included data breach notification requirements. [13]

European Union

In 1995, the EU passed the Data Protection Directive (DPD), which has recently been replaced with the 2016 General Data Protection Regulation (GDPR), a comprehensive federal data breach notification law. The GDPR offers stronger data protection laws, broader data breach notification laws, and new factors such as the right to data portability. However, certain areas of the data breach notification laws are supplemented by other data security laws. [13]

Examples of this include, the European Union implemented a breach notification law in the Directive on Privacy and Electronic Communications (E-Privacy Directive) in 2009, specific to personal data held by telecoms and Internet service providers. [14] [15] This law contains some of the notification obligations for data breaches. [13]

The traffic data of the subscribers, who use voice and data via a network company, is saved from the company only for operational reasons. However, the traffic data must be deleted when they aren’t necessary anymore, in order to avoid the breaches. However, the traffic data is necessary for the creation and treatment of subscriber billing. The use of these data is available only up to the end of the period that the bill can be repaid based on the law of European Union (Article 6 - paragraphs 1-6 [16] ). Regarding the marketing usage of the traffic data for the sale of additional chargeable services, they can be used from the company only if the subscriber gives his/her consent (but, the consent can be withdrawn at every time). Also, the service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of that based on the above assumptions. Processing of traffic data, in accordance with the above details, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.

Data breach notification obligations are included in the new Directive on security of network and information systems (NIS Directive). This creates notification requirements on essential services and digital service providers. Among these include immediately notifying the authorities or computer security incident response teams (CSIRTS) if they experience a significant data breach.

Similar to US concerns for a state-by-state approach creating increased costs and difficulty complying with all the state laws, the EU's various breach notification requirements in different laws creates concern. [13]

Japan

In 2015, Japan amended the Act on the Protection of Personal Information (APPI) to combat massive data leaks. Specifically, the massive Benesse Corporation data leak in 2014 where nearly 29 million pieces of private customer information was leaked and sold. This includes new penal sanctions on illegal transaction, however, there is no specific provision dealing with data breach notification in the APPI. Instead, the Policies Concerning the Protection of Personal Information, in accordance with the APPI, creates a policy that encourages business operators to disclose data breaches voluntarily. [17]

Kaori Ishii and Taro Komukai have theorized that the Japanese culture offers a potential explanation for why there is no specific data breach notification law to encourage companies to strengthen data security. The Japanese general public and mass media, in particularly, condemn leaks. Consequently, data leaks quickly result in losing customer trust, brand value, and ultimately profits. An example of this include, after a 2004 data leak, Softbank swiftly lost 107 billion yen and Benesse Corporation lost 940,000 customers after the data leak. This has resulted in compliance with disclosing data leaks in accordance with the policy. [17]

While proving the Japanese culture makes specific data breach notification laws necessary is difficult to objectively prove, what has been shown is that companies that experience data breach do experience both financial and reputation harm. [18] [19]

New Zealand

New Zealand’s Privacy Act 2020 came into force on December 1, 2020, replacing the 1993 act. The act makes notification of privacy breaches mandatory. [20] Organisations receiving and collecting data will now have to report any privacy breach they believe has caused, or is likely to cause, serious harm.

United States

Data Breach Notification Laws have been enacted in all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands. [6] As of August 2021, attempts to pass a federal data breach notification law have been unsuccessful. [21]

The 50 States

The first such law, the California data security breach notification law, [22] was enacted in 2002 and became effective on July 1, 2003. [23] The bill was enacted in reaction to the fear of identity theft and fraud. [8] [24] As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition, the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach of the security of the data.

In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. [25] California has since broadened its law to include compromised medical and health insurance information. [26] Where bills differ most is at what level the breach must be reported to the state Attorney General (usually when it affects 500 or 1000 individuals or more). Some states like California publish these data breach notifications on their oag.gov websites. Breaches must be reported if "sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates." [27] This leaves room for some interpretation (will it cause substantial harm?); but breaches of encrypted data need not be reported. Nor must it be reported if data has been obtained or viewed by unauthorized individuals as long as there is no reason to believe they will use the data in harmful ways.

The National Conference of State Legislatures maintains a list of enacted and proposed security breach notification laws. [6] Alabama and South Dakota enacted their data breach notification laws in 2018, making them the final states to do so.

Some of the state differences in data breach notification laws include thresholds of harm suffered from data breaches, the need to notify certain law enforcement or consumer credit agencies, broader definitions of personal information, and differences in penalties for non-compliance. [13]

Federal Data Breach Notification Law History

As of August 2021, there is no federal data breach notification law. The first proposed federal data breach notification law was introduced to Congress in 2003, but it never exited the Judiciary Committee. [5] Similarly, a number of bills that would establish a national standard for data security breach notification have been introduced in the U.S. Congress, but none passed in the 109th Congress. [28] In fact, in 2007, three federal data breach notification laws were proposed, but none passed Congress. [5] In his 2015 State of the Union speech, President Obama proposed new legislation to create a national data breach standard that would establish a 30-day notification requirement from the discovery of a breach. [29] This led to President Obama's 2015 Personal Data Notification & Protection Act (PDNPA) proposal. This would have created federal notification guidelines and standards, but it never came out of committee. [5]

Chlotia Garrison and Clovia Hamilton theorized that a potential reason for the inability to pass a federal law on data breach notifications is states' rights. As of now, all 50 states have varying data breach notification laws. Some are restrictive, while others are broad. [5] While there is not a comprehensive federal law on data breach notifications, some federal laws require notifications of data breaches in certain circumstances. Some notable examples include: the Federal Trade Commission Act (FTC Act), the Financial Services Modernization Act (Gramm-Leach-Bliley Act), and the Health Insurance Portability and Accountability Act (HIPAA). [13]

Debate over federal or state data breach notification laws

Most scholars, like Angela Daly, advocate for federal data breach notification laws emphasize the problem with having varying forms of data breach notification laws. That is, companies are forced to comply with multiple state data breach notification laws. This creates increased difficulty to comply with the laws and the costs. In addition, scholars have argued that a state-by-state approach has created the problem of uncompensated victims and inadequate incentives to persuade companies and governments to invest in data security. [13]

Advocates of a state-by-state approach to data breach notification laws emphasize increased efficiency, increased incentives to have the local governments increase data security, limited federal funding available due to multiple projects, and lastly states are able to quickly adapt and pass laws to constantly evolving data breach technologies. [10] In 2018, a majority of state attorneys general opposed a proposed federal data breach notification law that would preempt state laws. [30]

Impact

Data breaches occur because of technical issues like bad code to economic issues causing competing firm to not cooperate with each other to tackle data security. [31] In response, data breach notification laws attempt to prevent harm to companies and the public.

Criminal impact

A serious harm of data breaches is identity theft. Identity theft can harm individuals when their personal data is stolen and is used by another party to create financial harm such as withdrawing their money, non financially such as fraudulently claiming their health benefits, and pretending to be them and committing crimes. [32] Based on data collected from 2002 to 2009 from the U.S. Federal Trade Commission, the use of data breach notification has helped to decrease identity theft by 6.1 percent. [33]

Economic impact

Overall, data breach notifications leads to decreasing market value, evident in publicly traded companies experiencing a decrease in market valuation. [34] [35] Other costs include loss of consumer confidence and trust in the company, loss of business, decreased productivity, and exposure to third-party liability. [35] Notably, the type of data that is leaked from the breach has varying economic impact. A data breach that leaks sensitive data experiences harsher economic repercussions. [36]

Victim response

Most federal data breach lawsuits share certain characteristics. These include a plaintiff seeking relief from the loss of an identity theft, emotional distress, future losses, and increased risk of future harm; the majority of litigation are private class actions; the defendants are usually large firms or businesses; a mix of common law and statutory causes of action; and lastly most cases settle or are dismissed. [37]

Related Research Articles

<span class="mw-page-title-main">Privacy</span> Seclusion from unwanted attention

Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.

<span class="mw-page-title-main">Identity theft</span> Deliberate use of someone elses identity

Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

<span class="mw-page-title-main">Information sensitivity</span> Classification of secrecy of information

Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others. Loss, misuse, modification, or unauthorized access to sensitive information can adversely affect the privacy or welfare of an individual, trade secrets of a business or even the security and international relations of a nation depending on the level of sensitivity and nature of the information.

A Personal Information Agent (PIA) is an individual, business, or organization who is expressly authorized by another identifiable individual in dealings with third persons, businesses or organizations concerning personally identifiable information (PII). PIA status allows access to information pertaining to an identifiable individual and the records and associated files of that identifiable individual. This normally includes, but is not limited to, financial files, correspondence, memorandum, machine-readable records and any other documentary material, regardless of physical form or characteristics. Access of these records extends to any copy of any of those things, pertaining to that identifiable individual and including the right to audit and monitor activities that involve the process for notification and reporting of unauthorized disclosure or PII breaches.

The Personal Data Privacy and Security Act of 2009, was a bill proposed in the United States Congress to increase protection of personally identifiable information by private companies and government agencies, set guidelines and restrictions on personal data sharing by data brokers, and to enhance criminal penalty for identity theft and other violations of data privacy and security. The bill was sponsored in the United States Senate by Patrick Leahy (Democrat-Vermont), where it is known as S.1490.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation, abbreviated GDPR, or French RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

Medical data, including patients' identity information, health status, disease diagnosis and treatment, and biogenetic information, not only involve patients' privacy but also have a special sensitivity and important value, which may bring physical and mental distress and property loss to patients and even negatively affect social stability and national security once leaked. However, the development and application of medical AI must rely on a large amount of medical data for algorithm training, and the larger and more diverse the amount of data, the more accurate the results of its analysis and prediction will be. However, the application of big data technologies such as data collection, analysis and processing, cloud storage, and information sharing has increased the risk of data leakage. In the United States, the rate of such breaches has increased over time, with 176 million records breached by the end of 2017. There have been 245 data breaches of 10,000 or more records, 68 breaches of the healthcare data of 100,000 or more individuals, 25 breaches that affected more than half a million individuals, and 10 breaches of the personal and protected health information of more than 1 million individuals.

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

The gathering of personally identifiable information (PII) refers to the collection of public and private personal data that can be used to identify individuals for various purposes, both legal and illegal. PII gathering is often seen as a privacy threat by data owners, while entities such as technology companies, governments, and organizations utilize this data to analyze consumer behavior, political preferences, and personal interests.

<span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

References

  1. Sen, Ravi; Borle, Sharad (2015-04-03). "Estimating the Contextual Risk of Data Breach: An Empirical Approach". Journal of Management Information Systems. 32 (2): 314–341. doi:10.1080/07421222.2015.1063315. ISSN   0742-1222. S2CID   2311182.
  2. Bisogni, Fabio (2016). "Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?". Journal of Information Policy. 6: 154–205. doi: 10.5325/jinfopoli.6.2016.0154 . ISSN   2158-3897. JSTOR   10.5325/jinfopoli.6.2016.0154.
  3. Acquisti, Alessandro; Friedman, Allan; Telang, Rahul (2006). "Is there a cost to privacy breaches? An event study". ICIS 2006 Proceeding.
  4. Murciano-Goroff, Raviv (2019). "Do Data Breach Disclosure Laws Increase Firms; Investment in Securing their Digital Infrastructure?". Workshop on the Economics of Information Security: 1–39.
  5. 1 2 3 4 5 Garrison, Chlotia; Hamilton, Clovia (2019-01-02). "A comparative analysis of the EU GDPR to the US's breach notifications" (PDF). Information & Communications Technology Law. 28 (1): 99–114. doi:10.1080/13600834.2019.1571473. hdl: 10535/10737 . ISSN   1360-0834. S2CID   86668452.
  6. 1 2 3 "Security Breach Notification Laws". National Conference of State Legislatures. Retrieved 27 January 2019.
  7. "What is GDPR, the EU's new data protection law?". GDPR.eu. 2018-11-07. Retrieved 2021-10-25.
  8. 1 2 Bisogni, Fabio; Asghari, Hadi (2020). "More Than a Suspect: An Investigation into the Connection Between Data Breaches, Identity Theft, and Data Breach Notification Laws". Journal of Information Policy. 10: 45–82. doi: 10.5325/jinfopoli.10.2020.0045 . ISSN   2381-5892. JSTOR   10.5325/jinfopoli.10.2020.0045. S2CID   226623656.
  9. Romanosky, Sasha; Boudreaux, Benjamin (2020-08-26). "Private-Sector Attribution of Cyber Incidents: Benefits and Risks to the U.S. Government". International Journal of Intelligence and CounterIntelligence. 34 (3): 463–493. doi:10.1080/08850607.2020.1783877. ISSN   0885-0607. S2CID   235636491.
  10. 1 2 Ronaldson, Nicholas (2019-05-01). "HACKING: THE NAKED AGE CYBERCRIME, CLAPPER & STANDING, AND THE DEBATE BETWEEN STATE AND FEDERAL DATA BREACH NOTIFICATION LAWS". Northwestern Journal of Technology and Intellectual Property. 16 (4): 305. ISSN   1549-8271.
  11. AG. "Privacy Amendment (Notifiable Data Breaches) Act 2017". www.legislation.gov.au. Retrieved 2023-10-29.
  12. Green, Paul. "Australia's mandatory Data Breach Notification laws: Are You Ready?". Business Aspect. Retrieved 30 November 2020.
  13. 1 2 3 4 5 6 7 8 Daly, Angela (2018). "The introduction of data breach notification legislation in Australia: A comparative view". Computer Law & Security Review. 34 (3): 477–495. doi:10.1016/j.clsr.2018.01.005. ISSN   0267-3649. S2CID   67358435.
  14. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. Article 2(4)(c) of Directive 2009/136/EC amends Article 4(3-5) of Directive 2002/58/EC. This article deals with the security of processing data, breach notifications, and the obligation of service providers to ensure the protection of personal data.
  15. "New specific rules for consumers when telecoms personal data is lost or stolen in EU". Digital Single Market. 5 November 2016. Retrieved 11 May 2016.
  16. Consolidated text: Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
  17. 1 2 Ishii, Kaori; Komukai, Taro (2016-09-07). "A Comparative Legal Study on Data Breaches in Japan, the U.S., and the U.K.". Technology and Intimacy: Choice or Coercion. IFIP Advances in Information and Communication Technology. Vol. AICT-474. pp. 86–105. doi:10.1007/978-3-319-44805-3_8. ISBN   978-3-319-44804-6. S2CID   41459415.
  18. Honeywill, Sean (2006-03-01). "Data Security and Data Breach Notification for Financial Institutions". North Carolina Banking Institute. 10 (1): 269.
  19. Lending, Claire; Minnick, Kristina; Schorno, Patrick J. (2018-04-02). "Corporate Governance, Social Responsibility, and Data Breaches". Financial Review. 53 (2): 413–455. doi: 10.1111/fire.12160 . ISSN   0732-8516.
  20. "Transitioning from Privacy Act 1993 to Privacy Act 2020" . Retrieved 29 November 2020.
  21. Voss, W. Gregory; Houser, Kimberly A. (2019-05-20). "Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies". American Business Law Journal. 56 (2): 287–344. doi:10.1111/ablj.12139. ISSN   0002-7766. S2CID   182271514.
  22. SB 1386, Cal. Civ. Code 1798.82 and 1798.29.
  23. SB 1386 Senate Bill Archived 2007-06-13 at the Wayback Machine
  24. Burdon, Mark; Lane, Bill; von Nessen, Paul (2010). "The mandatory notification of data breaches: Issues arising for Australian and EU legal developments". Computer Law & Security Review. 26 (2): 115–129. doi:10.1016/j.clsr.2010.01.006. ISSN   0267-3649.
  25. Scott Berinato (12 February 2008). "CSO Disclosure Series - Data Breach Notification Laws, State By State". CSO Online. Retrieved 11 May 2016.
  26. "AB 1298 Assembly Bill - CHAPTERED" . Retrieved 11 May 2016.
  27. https://www.bakerlaw.com/files/uploads/documents/data%20breach%20documents/state_data_breach_statute_form.pdf [ bare URL PDF ]
  28. "RSA Blogs". RSA.com. Retrieved 27 January 2019.
  29. "The Personal Data Notification & Protection Act" (PDF). Obamawhitehouse.archives.gov. Retrieved 4 May 2018.
  30. Soroka, Saranna (April 8, 2018). "Coalition of 32 State AGs Outline Opposition to Federal Preemption of State Data Breach Notification Laws". JOLT Digest. Retrieved 26 August 2021.
  31. Sen, Ravi (2018). "Challenges to Cybersecurity: Current State of Affairs". Communications of the Association for Information Systems: 22–44. doi: 10.17705/1cais.04302 . ISSN   1529-3181.
  32. White, Michael D.; Fisher, Christopher (2008). "Assessing Our Knowledge of Identity Theft". Criminal Justice Policy Review. 19 (1): 3–24. doi:10.1177/0887403407306297. ISSN   0887-4034. S2CID   144958696.
  33. Romanosky, Sasha; Telang, Rahul; Acquisti, Alessandro (2011). "Do data breach disclosure laws reduce identity theft?". Journal of Policy Analysis and Management. 30 (2): 256–286. doi:10.1002/pam.20567. ISSN   0276-8739.
  34. Gatzlaff, Kevin M.; McCullough, Kathleen A. (2010). "The Effect of Data Breaches on Shareholder Wealth". Risk Management and Insurance Review. 13 (1): 61–83. doi:10.1111/j.1540-6296.2010.01178.x. ISSN   1098-1616. S2CID   153592982.
  35. 1 2 Cavusoglu, Huseyin; Mishra, Birendra; Raghunathan, Srinivasan (2004). "The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers". International Journal of Electronic Commerce. 9 (1): 70–104. doi:10.1080/10864415.2004.11044320. ISSN   1086-4415. S2CID   10753015.
  36. Campbell, Katherine; Gordon, Lawrence A.; Loeb, Martin P.; Zhou, Lei (2003). "The economic cost of publicly announced information security breaches: empirical evidence from the stock market" (PDF). Journal of Computer Security. 11 (3): 431–448. doi:10.3233/JCS-2003-11308.
  37. Romanosky, Sasha; Hoffman, David; Acquisti, Alessandro (2014-01-17). "Empirical Analysis of Data Breach Litigation". Journal of Empirical Legal Studies. 11 (1): 74–104. doi:10.1111/jels.12035. ISSN   1740-1453. S2CID   155714280.

Further reading