To Notify or Not to Notify? Do Organizations Comply with U.S. Data Breach Notification Laws? An Empirical Study

Data Breach Notification Laws (DBNLs) oblige organizations to notify personal data breaches. In theory, DBNLs mitigate damage after a data breach and incentivize companies to invest in information security. The regulatory enforcement of the DBNL is based on deterrence, because penalties are imposed, varying from $1,000 to $750,000 between states. It is uncertain whether DBNLs are deterrent enough to prevent organizations from concealing data breaches, especially because organizations suffer reputational costs from a notification. This study empirically tests compliance, by relating the adoption and characteristics of different U.S. DBNLs to actual observed data breach notifications based on the privacy breach clearinghouse dataset (2005-2012). After the adoption of the law, a 50% increase of notifications is observed. But, the absolute number of notifications is low, merely 0.05% of the U.S. companies notified. This indicates low compliance, possibly caused by high costs of notifying and low costs of concealing a notification. Unexpectedly, higher sanctions did not have an effect, but limited commensurability of the different sanctioning regimes prohibits a permanent statement. This paper recommends enhancing DBNLs by increasing both the benefits of notifying and deterrence. Benefits are increased by incorporating rewards for good behavior by assisting companies in mitigating damage and continuously reward companies that are compliant by sharing knowledge about threats. Deterrence is increased by higher penalties and more stringent enforcement.