To Notify or Not to Notify? Do Organizations Comply with U.S. Data Breach Notification Laws? An Empirical Study

Research output: Working paperPreprintAcademic

19 Downloads (Pure)


Data Breach Notification Laws (DBNLs) oblige organizations to notify personal data breaches. In theory, DBNLs mitigate damage after a data breach and incentivize companies to invest in information security. The regulatory enforcement of the DBNL is based on deterrence, because penalties are imposed, varying from $1,000 to $750,000 between states. It is uncertain whether DBNLs are deterrent enough to prevent organizations from concealing data breaches, especially because organizations suffer reputational costs from a notification. This study empirically tests compliance, by relating the adoption and characteristics of different U.S. DBNLs to actual observed data breach notifications based on the privacy breach clearinghouse dataset (2005-2012). After the adoption of the law, a 50% increase of notifications is observed. But, the absolute number of notifications is low, merely 0.05% of the U.S. companies notified. This indicates low compliance, possibly caused by high costs of notifying and low costs of concealing a notification. Unexpectedly, higher sanctions did not have an effect, but limited commensurability of the different sanctioning regimes prohibits a permanent statement. This paper recommends enhancing DBNLs by increasing both the benefits of notifying and deterrence. Benefits are increased by incorporating rewards for good behavior by assisting companies in mitigating damage and continuously reward companies that are compliant by sharing knowledge about threats. Deterrence is increased by higher penalties and more stringent enforcement.
Original languageEnglish
Number of pages29
Publication statusPublished - 30 Apr 2014

Bibliographical note

JEL Classification: C23, K40, L51


Dive into the research topics of 'To Notify or Not to Notify? Do Organizations Comply with U.S. Data Breach Notification Laws? An Empirical Study'. Together they form a unique fingerprint.

Cite this