Monday, August 28, 2017

Research: Data Breach Laws: Do They Work?

Schuessler, J. H., Nagy, D, Fulk, H. K., & Dearing, A. (2017). Data Breach Laws: Do They Work? Journal Of Applied Security Research, 12(3), 84.

I've got a data breach paper coming out in October in the Journal of Applied Security Research that argues for the passage of federal legislation to combat data breaches. I say "combat" but that is really a misnomer. See, "combat" makes it sound like we can take the fight to the bad guys and make them pay for breaking into organizations, stealing personal information, and selling it on the dark web. Unfortunately, it is not that easy. Neither is the passage of federal legislation that governs how those who have been breached should deal with the situation publicly.

Now, I tend to have a rather wide libertarian streak in me. As a result, I do not make light of calling for federal legislation. But, we have to look at the facts. What are the goals behind the creation of data breach legislation in the first place? It is not to stop or otherwise limit the occurrence of data breaches. Nearly every state in the U.S has passed data breach laws. Only Alabama, New Mexico, and South Dakota do not have such laws (National Conference of State Legislatures, nd). So, if such laws were working to reduce breaches, we would not being seeing the seemingly geometric rise in breaches that actually are occurring. In fact, my analysis showed that there were an average of 5.07 data breaches per year in states that would eventually pass data breach legislation and an average of 9.21 breaches per year in those same states after the passage of such legislation.

Table 1. Annual Breaches by Industry.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Business
25
67
130
237
202
274
177
162
195
258
Educational
75
80
111
131
78
65
57
63
54
57
Government/Military
21
99
110
110
90
104
54
55
60
92
Health/Medical
16
44
63
99
70
165
102
167
271
333
Financial/Credit
20
31
32
79
58
54
31
24
34
43
Total
157
321
446
656
498
662
421
471
614
783

So, no, data breach laws are not designed to reduce the number of data breaches. Rather, data breach laws are designed to facilitate informing consumers that their data has been breached and taking measures to protect their private and financial information as opposed to protecting the information systems that were originally compromised in the first place. Such laws typically include an element that requires notification to the consumer in certain situations such as a breach in which their name and social security number are not encrypted and somehow compromised. When that happens, consumer are notified and can take action to protect themselves such as monitoring the financial transactions, signing up for credit monitoring services, etc. It's not really about fixing the problem itself but rather, more about applying a band-aid after the fact.

Table 2. Relevant State and Territory Statutes.
State
Citation
State
Citation
Alaska
Alaska Stat. § 45.48.010 et seq.
Nevada
Nev. Rev. Stat. §§ 603A.010 et seq.242.183
Arizona
Ariz. Rev. Stat. § 44-7501
New Hampshire
N.H. Rev. Stat. §§ 359-C:19-C:20-C:21189:66
Arkansas
Ark. Code § 4-110-101 et seq.
New Jersey
N.J. Stat. § 56:8-161, -163
California
Cal. Civ. Code §§ 1798.291798.80 et seq.
New York
N.Y. Gen. Bus. Law § 899-aaN.Y. State Tech. Law 208
Colorado
Colo. Rev. Stat. § 6-1-716
North Carolina
N.C. Gen. Stat §§ 75-6175-65
Connecticut
Conn. Gen Stat. § 36a-701b2015 S.B. 949, Public Act 15-142
North Dakota
N.D. Cent. Code §§ 51-30-01 et seq.51-59-34(4)(d)
Delaware
Del. Code tit. 6, § 12B-101 et seq.
Ohio
Ohio Rev. Code §§ 1347.121349.191349.1911349.192
Florida
Fla. Stat. §§ 501.171282.0041282.318(2)(i) 
Oklahoma
Okla. Stat. §§ 74-3113.1, 24-161 to -166
Georgia
Ga. Code §§ 10-1-910, -911, -912; § 46-5-214
Oregon
Oregon Rev. Stat. § 646A.600 to .6282015 S.B. 601, Chap. 357
Hawaii
Haw. Rev. Stat. § 487N-1 et seq.
Pennsylvania
73 Pa. Stat. § 2301 et seq.
Idaho
Idaho Stat. §§ 28-51-104 to -107
Rhode Island
R.I. Gen. Laws § 11-49.2-1 et seq., 2015 S.B. 134, Public Law 2015-1382015 H.B. 5220, Public Law 2015-148
Illinois
815 ILCS §§ 530/1 to 530/25
South Carolina
S.C. Code § 39-1-902013 H.B. 3248
Indiana
Ind. Code §§ 4-1-11 et seq.24-4.9 et seq.
Tennessee
Tenn. Code § 47-18-2107; § 8-4-119 (2015 S.B. 416, Chap. 42)
Iowa
Iowa Code §§ 715C.1, 715C.2
Texas
Tex. Bus. & Com. Code §§ 521.002521.053; Tex. Ed. Code § 37.007(b)(5); Tex. Pen. Code § 33.02
Kansas
Kan. Stat. § 50-7a01 et seq. 
Utah
Utah Code §§ 13-44-101 et seq.; § 53A-13-301(6)
Kentucky
KRS § 365.732, KRS §§ 61.931 to 61.934 
Vermont
Vt. Stat. tit. 9 § 2430, 2435
Louisiana
La. Rev. Stat. §§ 51:3071 et seq.40:1300.111 to .116
Virginia
Va. Code § 18.2-186.6, § 32.1-127.1:05, § 22.1-20.2
Maine
Me. Rev. Stat. tit. 10 § 1347 et seq.
Washington
Wash. Rev. Code § 19.255.01042.56.5902015 H.B. 1078, Chapter 65
Maryland
Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308
West Virginia
W.V. Code §§ 46A-2A-101 et seq.
Massachusetts
Mass. Gen. Laws § 93H-1 et seq.
Wisconsin
Wis. Stat. § 134.98
Michigan
Mich. Comp. Laws §§ 445.63445.72
Wyoming
Wyo. Stat. § 40-12-501 et seq.
Minnesota
Minn. Stat. §§ 325E.61325E.64
District of Columbia
D.C. Code § 28- 3851 et seq.
Mississippi
Miss. Code § 75-24-29
Guam
9 GCA § 48-10 et seq.
Missouri
Mo. Rev. Stat. § 407.1500
Puerto Rico
10 Laws of Puerto Rico § 4051 et seq.
Montana
Mont. Code §§ 2-6-1501 to -1503, 30-14-1701 et seq.33-19-321
Virgin Islands
V.I. Code tit. 14, § 2208
Nebraska
Neb. Rev. Stat. §§ 87-801-802-803-804-805-806-807



"So, if that is the case, why aren't state laws fine?" Well, I'll tell you why. They cost us more money. In a paper by Hovav and Gray (2014), they looked at the effect of the TJMaxx breach on various stakeholders. Their identification of stakeholders was pretty exhaustive and even included the intruders themselves. The end result of their analysis was that in the long run, TJX, the parent company, the company was just fine. Initially, stock prices tanked but as damage estimates were revised down, class-action law suits dismissed, and settlement with Visa, their stock value actually increased. Similar results for the Target breach can be found. So, there's no real market force in the long run that encourages organizations to protect the data of their customers. As long as they can weather the storm, they will come out of the other side, stronger than they were before knowledge of the breach occurred.

Table 3. Statistical Significance Before and After Enactment of Data Breach Laws.
Before Law Implemented
After Law Implemented
Average
5.07
9.21
Variance
103.1
93.5
P(T <= t) Two-tail
.041










Now, this is not to say that breaches are "good" for companies. There are real dollar values associated with a data breach. According to the Ponemon Institute (2014), the average cost of a data breach in 2014 was $5.85 million. That's $201 per record compromised. Those costs are even higher in healthcare. In light my the data from my student in which businesses and health/medical reported more breaches after data breach laws were enacted, that is a deadly combination. But, where do those costs come from? Costs come from the need to hire forensics experts, hotline support, notifications, providing credit monitoring subscriptions, etc.
Table 4. Effect of Data Breach Laws on Industry.

Before Law Implemented
After Law Implemented
p-value
.05
Business
1.21
4.19
.03
Education
1.65
1.51
.72
Government/
Military
1.24
1.60
.36
Health/
Medical
.66
3.06
.00
Financial/
Credit
.61
.82
.57












Table 5. Relationship between annual health care costs nationally and the number of data breaches occurring in the health care industry.
2005
2006
2007
2008
2009
2010
2011
2012
2013
Total National Health Expenditures (in billions)
2,035
2,167
2,304
2,414
2,506
2,604
2,705
2,817
2,919
Number of Healthcare Data Breaches
16
43
60
97
64
155
76
158
162













So, this brings us back to the issue at hand; what is the goal behind data breach legislation? Let's refine that question just a bit. What is the goal behind federal data breach legislation? If it is not to curtail the occurrence of data breaches and it is not to encourage organizations to do a better job of protecting their customer's information, then what is it?

I would argue that it is about streamlining the compliance issue. Part of the reason the cost per record is so high is that organizations that operate across state lines have up to 47 different jurisdictions to potentially comply with (assuming they do business in each state with breach laws on the books). This makes compliance a significant issue. A federal law that establishes a baseline for reporting requirements and defining what constitutes a data breach is needed. It will help to reduce the costs associated with complying with various state's current laws by allowing organizations to more simply comply with a single federal law.

References
Gross, G. Lawmakers push for federal data breach notification law. PCWorld. 2013. Available at: http://www.pcworld.com/article/2044673/lawmakers-push-for-federal-data-beach-notification-law.html. Accessed March 20, 2017.

Anthony, J. H., Choi, W., & Grabski, S. (2006). Market reaction to e-commerce impairments evidenced by website outages. International Journal of Accounting Information Systems, 7(2), 60-78. doi:10.1016/j.accinf.2005.10.002

Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce, 9(1), 69.

Centers for Medicaid & Medicare Services. (2015) Retrieved 5/27/2015 https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/NationalHealthExpendData/Downloads/Tables.zip

Clarke, R. (1994). Human identification in information systems: Management challenges and public policy issues. Information Technology & People, 7(4), 6-37.

Hardekopf, B. (2014, March 22). This Week In Credit Card News: Data Breaches At Supermarkets, Hospitals And UPS; Fighting Card Theft. Retrieved fromhttp://www.forbes.com/sites/moneybuilder/2014/08/22/this-week-in-credit-card-news-data-breaches-at-supermarkets-hospitals-and-ups-fighting-card-theft/

Hovav, A. P., & Gray, P. (2014). The Ripple Effect of an Information Security Breach Event: A Stakeholder Analysis. Communications of The Association For Information Systems, 34(50), 893-912.

Humer C, Finkle J. Your medical record is worth more to hackers than your credit card. http://wwwreuterscom. 2017. Available at: http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. Accessed March 20, 2017.

Identity Theft Resource Center. Retrieved from http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html

Joerling, J. (2010). Data breach notification laws: an argument for a comprehensive federal law to protect consumer data. Washington University Journal Of Law & Policy, 467.

Millman J. Health care data breaches have hit 30M patients and counting. Washington Post. 2014. Available at: https://www.washingtonpost.com/news/wonk/wp/2014/08/19/health-care-data-breaches-have-hit-30m-patients-and-counting/?utm_term=.c850a7e6b8b1. Accessed March 20, 2017.

National Conference of State Legislatures. Retrieved from http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. Accessed March 20, 2017.

Phelps, J., Nowak, G., & Ferrell, E. (2000). Privacy concerns and consumer willingness to provide personal information. Journal of Public Policy & Marketing, 19(1), 27-41.
Ponemon Institute. (2014). 2014 Cost of Data Breach Study: United States

Ring, L. S. (2016, May 31). Is a Federal Data Breach Law in the Cards This Year? Retrieved May 23, 201 Ring, L. S. (2016, May 31). Is a Federal Data Breach Law in the Cards This Year? Retrieved May 23, 2017, from http://www.focusdatasolutions.com/techpol/is-a-federal-data-breach-law-in-the-cards-this-year7, from http://www.focusdatasolutions.com/techpol/is-a-federal-data-breach-law-in-the-cards-this-year

Schuessler, J. H. (2010). General deterrence theory: Assessing information systems security effectiveness in large versus small businesses. Dissertation Abstracts International Section A, 70, 3681.

Schuessler, J. H., Windsor, J., & Wu, Y. (2014). System Security Effectiveness in Large Versus Small Businesses. Journal of Information System Security, 10(1), 3-40.

Sherman, E. (2014, August 28). Why $250M didn’t protect J.P. Morgan from hackers. Retrieved from http://www.cbsnews.com/news/why-250m-didnt-protect-J.P.-morgan-from-hackers/

Shultz, K. S., Hoffman, C. C., & Reiter-Palmon, R. (2005). Using archival data for I-O research: advantages, pitfalls, sources, and examples, The Industrial-Organizational Psychologist, 42(3), 31-37.

Straub, D. W., & Welke, R. J. (1998). Coping With Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly, 22(4), 441-469.


Thomas, L. (2014). Providing Notice After A Data Breach: 10 Steps To Take. Law360. Retrieved from http://www.law360.com/articles/534816/providing-notice-after-a-data-breach-10-steps-to-take
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)