Evaluating Data Breach Disclosure Laws

You may also like...

5 Responses

  1. Chris says:

    I’m sure the modeling on this is complicated enough, but I suspect that there are also hidden benefits that payment of this disclosure tax brings.

    If firms which otherwise would be sloppy begin to operate more regularly, they may see that it pays off in the form of less unscheduled downtime, etc. In a sense, these laws may — in part — act as a form of Service Level Agreement, with firms agreeing to pay an embarrassing and costly disclosure tax if they do not deliver according to the SLA. Just as — I would argue — contractual SLAs with penalties cause IT organizations to pay better attention to performance, laws such as these may have similar effects. I have no idea how I’d attempt to measure them :^).

  2. Chris Cosner says:

    Sasha, can you explain what you mean by ‘social cost’? Is it an aggregate cost for all parties? Is it purely monetary? If so, what would be its ultimate measure? GDP?

  3. Sasha says:

    Hey Chris, thanks for the comment.

    What you describe is indeed, a possible outcome: a positive externality from additional security investment (spillovers to other departments, perhaps). You could also include any sort of resilience to outage or security incident because of these investments.

    While we do not specifically model this effect, you might approach it this way: since the benefits are all internalized by the firm, the effect might be to just proportionally reduce the cost of investment. The important thing, though, is whether this change just ends up shifting curves one way or another, or whether it fundamentally alters the shape of some function. The latter would qualitatively change the result, while the former would not.


  4. Sasha says:

    Chris (Cosner),

    Thanks, and sorry for not being more clear. What I’m considering as social cost is really just the sum of the cost to the consumer and the firm (the breached company).

    In these economic models, one often considers the behavior (e.g. cost of security investment) to one firm and one consumer. The ‘social cost,’ then, is literally just the sum of these two costs. You can easily expand that to consider costs to all firms or all consumers just as you suggest, but then you easily lose focus on your question of interest.


  5. Sasha says:

    For those interested, the full paper is at http://ssrn.com/abstract=1268926.