Tech Times reports:
A study by researchers from the University of Minnesota and George Mason University has reportedly claimed that US cybersecurity laws on breach notifications have little to no effect on curbing data breach incidents in the country.
The legislation that requires businesses to tell customers if their data has been compromised, known as breach notification laws (BNLs), enacted by governments of all 50 states, has reportedly been discovered by the study as ineffective after comparing data on data breach incidents before and after the enactment of the laws.
The Privacy Rights Clearinghouse (PRC), a group organizing information on corporate data breaches since 2005, reportedly provided the researchers with the data, including details about the number of compromised records, the locations, causes, and the names of the affected firms.
Read more at Tech Times.
That breach notification laws do not decrease breach incidents comes as no surprise to Data Breach Times. There needs to be more consequences than just having to notify people of a breach to have any real impact on the number of breaches. While some laws provide for consequences, there has been relatively little actual enforcement or imposition of such consequences by regulators.
If the cybersecurity laws are not decreasing the number of breaches, perhaps it is time to revisit the laws and evaluate whether they incorporate mandatory consequences that might serve a deterrent value. Or will laws with mandatory consequences simply result in more entities covering up breaches?
These are complex issues. Perhaps instead of concluding notification laws do not decrease breaches, we should ask, “Are there any conditions under which breach notification laws do decrease breaches?”
Read the study referred to in the Tech Times article: Do US State Breach Notification Laws Decrease Firm Data Breaches?