BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Research paper on data breaches and identity theft

From: "Sasha Romanosky" <sromanos () andrew cmu edu>
Date: Sat, 10 May 2008 14:07:36 -0400

Greetings, 

I'd like to share a research paper that attempts to estimate the effect of
data breach dislcosure laws on identity theft. I'll be presenting it at this
year's workshop on the economics of information security
(http://weis2008.econinfosec.org). 

This is somewhat work in progress as we will be augmenting it with more data
and additional analysis. However, I thought the group might be interested in
what we've discovered so far. 


Title: Do Data Breach Disclosure Laws Reduce Identity Theft?
http://weis2008.econinfosec.org/papers/Romanosky.pdf

Abstract: 
Identity theft resulted in corporate and consumer losses of $56 billion
dollars in 2005, with about 30% of known identity thefts caused by corporate
data breaches. Many US states have responded by adopting data breach
disclosure laws that require firms to notify consumers if their personal
information has been lost or stolen. While the laws are expected to reduce
losses, their full effects have yet to be empirically measured. We use panel
from the US Federal Trade Commission with state and time fixed-effects
regression to estimate the impact of data breach disclosure laws on identity
theft over the years 2002 to 2006. We find no statistically evidence that
laws reduce identity theft, even after considering income, urbanization,
strictness of law and interstate commerce. If the probability of becoming a
victim conditional on a data breach is very small, then the law's maximum
effectiveness is inherently limited. Quality of data and the possibility of
reporting bias also make proper identification difficult. However, we
appreciate that these laws may have other benefits such as reducing a
victim's average losses and improving a firm's security and operational
practices.


cheers,
sasha romanosky
http://www.romanosky.net

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
Previous By Date Next
Previous By Thread Next

Current thread: