Academia.eduAcademia.edu

Outline

Title
Abstract
The Emerging Law of Data-Breach Harms
Judicial Approaches to Data-Breach Harms
Data Sensitivity and Data
Fraudster Obtains Personal Data but Use Remains
Personal Data Exposed
Conclusion
References
All Topics
Computer Science
Cybersecurity

Risk and Anxiety: A Theory of Data Breach Harms

Profile image of Daniel J . SoloveDaniel J . Solove

2016, SSRN Electronic Journal

https://doi.org/10.2139/SSRN.2885638
visibility

description

50 pages

link

1 file

Abstract

for their research assistance. We are grateful to the editors of the Texas Law Review for their superb assistance.

Related papers

Data Breach Disclosure
Melissa Dark

Concepts, Methodologies, Tools and Applications

As information technology has become more ubiquitous and pervasive, assurance and security concerns have escalated; in response, we have seen noticeable growth in public policy aimed at bolstering cybertrust. With this growth in public policy, questions regarding the effectiveness of these policies arise. This chapter focuses on policy analysis of the state data breach disclosure laws recently enacted in the United States. The state data breach disclosure laws were chosen for policy analysis for three reasons: the rapid policy growth (the United States have enacted 45 state laws in 6 years); this is the first instantiation of informational regulation for information security; and the importance of these laws to identity theft and privacy. The chapter begins with a brief history in order to provide context. Then, this chapter examines the way in which historical, political and institutional factors have shaped our current data breach disclosure policies, focusing on discovering how p...

View PDFchevron_right
Data Breach- an Oblivious Threat and Its Consequences
Rahul Chawda

International Journal of Engineering Applied Sciences and Technology

Data breach has become one of the serious problems in recent years as with the increase in technology the threat of data security is increasing. This paper mainly focuses on giving information about causes of data spill and prevention methods an organisation or individual should adopt to prevent themselves from such a threat.

View PDFchevron_right
The Economic Impact of Privacy Violations and Security Breaches
Heiko Roßnagel

Business & Information Systems Engineering, 2014

In an experiment, the authors distinguish between the impact of privacy violations and security breaches on the subjects' trust and behavior. They focus on first-order effects and thus the direct consumer reaction. While privacy is of prime importance for building trust, the actual behavior is affected less and customers value security higher when it comes to actual decision making. Evidence is found for the so-called "privacy paradox" which describes that people do not act according to their privacy concerns.

View PDFchevron_right
More Than a Suspect: An Investigation into the Connection Between Data Breaches, Identity Theft, and Data Breach Notification Laws
Fabio Bisogni

Journal of Information Policy, 2020

This article investigates the relationship between data breaches and identity theft, including the impact of Data Breach Notification Laws (DBNL) on these incidents (using empirical data and Bayesian modeling). We collected incident data on breaches and identity thefts over a 13-year timespan (2005–2017) in the United States. Our analysis shows that the correlation is driven by the size of a state. Enacting a DBNL still slightly reduces rates of identity theft; while publishing breaches notifications by Attorney Generals helps the broader security community learning about them. We conclude with an in-depth discussion on what the European Union can learn from the US experience.

View PDFchevron_right
An Empirical Investigation of Company Response to Data Breaches
Hamid Reza Nikkhah, Varun Grover

MIS Quarterly, 2022

Companies may face serious adverse consequences as a result of a data breach event. To repair the potential damage to relationships with stakeholders after data breaches, companies adopt a variety of response strategies. However, the effects of these response strategies on the behavior of stakeholders after a data breach are unclear; differences in response times may also affect these outcomes, depending on the notification laws that apply to each company. As part of a multi-method study, we first identify the adopted response strategies in Study 1 based on content analysis of the response letters issued by publicly traded U.S. companies (n = 204) following data breaches; these strategies include any combination of the following: corrective action, apology, and compensation. We also find that breached companies may remain silent and adopt a no action strategy. In Studies 2 and 3, we examine the effects of various response strategies and response times on the predominant stakeholders affected by data breaches: customers and investors. In Study 2, we focus on customers and present a moderated-moderated-mediation model based on the expectancy violation theory. To test this model, we design a factorial survey with 15 different conditions (n = 811). In Study 3, we focus on investors and conduct an event study (n = 166) to examine their reactions to company responses to data breaches. The results indicate the presence of moderating effects of certain response strategies; surprisingly, we do not find compensation to be more effective than apology. Further, the magnitude of the moderating effects of response strategies is contingent upon response time. We also find that the negative effects of data breaches disappear after 6 months. We interpret the results and provide implications for research and practice.

View PDFchevron_right
Post Data Breach Use of Protective Technologies: An Examination of Users’ Dilemma
Francis Andoh-Baidoo

Proceedings of the 53rd Hawaii International Conference on System Sciences, 2020

This preliminary research addresses the technology use uncertainties that arise when users are presented with protective technologies following a data breach or privacy violation announcement. Prior studies have provided understanding of determinants of technology use through several perspectives. The study complements prior research by arguing that, beyond individual dispositions or technology features, data breach announcements bring users' focus on the actions of the breaching organization. Fair process and information practices provide avenue for organizations to alleviate users' concerns and increase service usage. We draw on organizational justice theory to develop a model that explicates the effect of organizational fairness process and use of technologies. We test this model using data from 200 Facebook users recruited from Amazon MTurk. We found that procedural and informational justice have differential effect on users' desire to use protective technologies. Our findings have both theoretical and practical implications.

View PDFchevron_right
Data Breach – Its Effects on Industry
IJDIIC IJDIIC

Zenodo (CERN European Organization for Nuclear Research), 2022

In this Digital world, Data has become one of the most crucial parts in every field. To protect this sensitive piece of information many methods and technologies are coming into existence. A data breach reveals sensitive, protected and confidential information to an unauthorized person. Increasingly opportunities exist for information to leak out as our computers and mobile devices become more associated. Data leaks pose a serious threat to companies and can cost them significantly either financially and reputationally. The long-term effects of a data breach can spread throughout a company, having an effect on all parties involved, including the user base, staff, and cybersecurity teams in charge of repair. By giving priority to the most frequently attacked industries, this article will advance understanding about data hacking incidents and aid in securing corporate data.

View PDFchevron_right
Personal data disclosure and data breaches: the customer's viewpoint
Maurizio Naldi

arXiv preprint arXiv:1203.3870, 2012

Abstract: Every time the customer (individual or company) has to release personal information to its service provider (eg, an online store or a cloud computing provider), it faces a trade-off between the benefits gained (enhanced or cheaper services) and the risks it incurs (identity theft and fraudulent uses). The amount of personal information released is the major decision variable in that trade-off problem, and has a proxy in the maximum loss the customer may incur. We find the conditions for a unique optimal solution to exist for ...

View PDFchevron_right
Are Firms Perceived As Safer After an Information Breach
Sajeev Varki

2014

With hackers being active in their attempts to steal customer information, prior research has focused on how information breach influences firms at an aggregate level. We examine consumers' decision at the individual level and find that consumers would feel safer to stay with the breached firm if attack is random.

View PDFchevron_right
Perceived Risk and Desired Protection: Towards A Comprehensive Understanding of Data Sensitivity
Kiyoshi Murata

2020

This study clarifies the characteristics of the perceived risk of personal data release and the required protection as a preliminary step toward a comprehensive understanding of data sensitivity, and has long been regarded as the key parameter distinguishing data that should be protected from data that should be utilised. Few studies have empirically considered the cognitive characteristics of data sensitivity. It is essential to consider both perceived risk and desired protection when seeking a comprehensive understanding of data sensitivity. Thus, we quantitatively examined the characteristics of both components using four types of personal data (two of which are considered sensitive under Japanese law). The authors surveyed 420 Japanese subjects and analysed the results using the Friedman test and the Mann-Whitney Utest. The perceived risks and desired protections differed significantly among the four types of data, and legally defined data sensitivities did not always explain the observed differences. The extent of interest in personal data increased the perceived risk and the desire for protection. The effects of various personal factors including gender and the tendency to self-protect were relatively weak, so further analysis is required. We discuss the remaining issues and future research directions.

View PDFchevron_right

References (19)

  1. J. Craig Anderson, Identity Theft Growing, Costly to Victims, USA TODAY (Apr. 14, 2013), http://www.usatoday.com/story/money/personalfinance/2013/04/14/identity-theft-growing/ 2082179/ [https://perma.cc/7T5Q-DTHH].
  2. BUREAU OF JUST. STAT., U.S. DEP'T OF JUST., NCJ 243779, VICTIMS OF IDENTITY THEFT, 2012, at 7 (2013), https://www.bjs.gov/content/pub/pdf/vit12.pdf [https://perma.cc/773U-SHVT]. 113. Id.
  3. Thomas Clifford, Note, Provider Liability and Medical Identity Theft: Can I Get Your (Insurance) Number?, NW. J.L. & SOC. POL'Y, Fall 2016, at 45, 45. 115. BUREAU OF JUST. STAT., supra note 112, at 6. 116. Id. at 10.
  4. See Andrea Peterson, Data Exposed in Breaches Can Follow People Forever. The Protections Offered in Their Wake Don't., WASH. POST (June 15, 2015), http://www.washingtonpost.com/blogs/the-switch/wp/2015/06/15/data-exposed-in-breaches-can- follow-people-forever-the-protections-offered-in-their-wake-dont/ [https://perma.cc/JBF5-4K6X] (explaining that card providers quickly identify and replace at-risk card numbers).
  5. Id.
  6. See, e.g., Tara Siegel Bernard et al., Equifax Says Cyberattack May Have Affected 143 Million in the U.S., N.Y. TIMES (Sept. 7, 2017), https://www.nytimes.com/2017/09/07/ business/equifax-cyberattack.html?hp&action=click&pgtype=Homepage&clickSource=story- heading&module=first-column-region&region=top-news&WT.nav=top-news [https://perma.cc/ D9E6
  7. -BXGW] (discussing the 2017 Equifax cyberattack that resulted in a breach of sensitive consumer information);
  8. Rishi Iyengar, Hackers Release Data from Cheating Website Ashley Madison Online, TIME (Aug. 18, 2015), http://time.com/4002647/ashley-madison-hackers-data- released-impact-team/?iid=sr-link1 [https://perma.cc/37Y3-WHAP] (detailing the 2015 data breach of Ashley Madison that revealed members' personal and financial data);
  9. Maggie McGrath, Target Data Breach Spilled Info On As Many As 70 Million Customers, FORBES (Jan. 10, 2014), https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as- many-as-70-million-customers/#528bf61ee795 [https://perma.cc/XQ6V-GUSK] (reporting on the breach of customer information at Target in late 2013).
  10. See How to Keep Your Personal Information Secure, FED. TRADE COMM'N: CONSUMER INFO. (July 2012), https://www.consumer.ftc.gov/articles/0272-how-keep-your-personal- information-secure [https://perma.cc/H7QF-JZN3] (detailing suggestions for protecting personal information to avoid identity theft).
  11. Id.
  12. See, e.g., AMAZON WEB SERVS., AMAZON WEB SERVICES: OVERVIEW OF SECURITY PROCESSES 1 (2017), https://d0.awsstatic.com/whitepapers/Security/AWS_Security_
  13. Whitepaper.pdf [https://perma.cc/8KR8-QQFT] ("Helping to protect the confidentiality, integrity, and availability of our customers' systems and data is of the utmost importance . . . .");
  14. This Is How We Protect Your Privacy, APPLE INC., https://www.apple.com/privacy/approach-to-privacy/ [https://perma.cc/ZQC8-4B8H] ("We're committed to keeping your personal information safe.").
  15. ELDER, supra note 47, § 2:10. 191. Levit, supra note 128, at 147-48.
  16. ELDER, supra note 47, at § 5:2.
  17. Lewis R. Hagood, Claims of Mental and Emotional Damages in Employment Discrimination Cases, 29 U. MEM. L. REV. 577, 586 (1999) ("[A] majority of the federal courts that have held a plaintiff's own testimony as sufficient to sustain an award of damages for emotional distress usually subject such claims to heightened scrutiny.").
  18. See Citron, Mainstreaming, supra note 36, at 1811-14 (offering examples of mental injuries resulting from privacy intrusions). 195. Id. at 1811.
  19. Keating, supra note 54, at 277 & n.18.

Related papers

Reacting to the scope of a data breach: The differential role of fear and anger
Subimal Chatterjee

Journal of Business Research, 2019

We investigate how fearful and angry consumers react to the scope (number of customers affected) of a data breach. In two laboratory studies, we show that whereas fear makes consumers scope sensitive such that their intentions not to purchase from the affected retailer increases with scope, anger makes consumers scope insensitive and their repurchase intentions scope invariant. Process tests show that whereas scope indirectly affects the repurchase intentions of fearful consumers by making the mental image of the breach more vivid to them, scope does not affect how angry consumers imagine the breach nor their repurchase intentions. We find similar results in a field study, analyzing approximately 12,000 news stories of data breaches, showing that scope affects stock market reactions when the stories stress fear over anger but not when they stress anger over fear.

View PDFchevron_right
Towards a Model for Data Breaches: An Universal Problem for the Public
Robert Holtfreter

International Journal of Public Information Systems, 2014

The topic of data breaches, protection of information and data security salient to business and criminal justice researchers, practitioners in all profit and nonprofit organizations, consumer advocate groups and legislators throughout the world. This article analyzes the trends in data breaches in the United States and classifies them into five general industry sectors and eighteen sub-sectors using a new model recently developed by the authors and also provides basic recommendations for information and security personnel in every industry throughout the world to use to improve data protection and thus help protect public information for consumers and all types of organizations. The 2,280 data breaches tracked by the Privacy Rights Clearinghouse from 2005 through 2010 were used in the study. The findings indicate that the trends for the annual number of data breaches for the five general industries and their sub-sectors have increased, although inconsistently, over the six-year period. The analysis and classification of data breaches by general and sub-sector industries with the use of this new data breach model provides an awareness of the data breach problem for information managers and security personnel in public and private sector organizations throughout the world and also provides a workable methodological framework to help them develop innovative and useful policies for safeguarding personal information of consumers, clients, employees and other entities. The topic of data breaches and information management remains salient to business and criminal justice researchers, practitioners in all profit and nonprofit organizations, consumer advocate groups and legislators throughout the world.

View PDFchevron_right
Understanding the Cost Associated with Data Security Breaches
Kholekile Gwebu

2014

To estimate the cost of a data breach to the inflicted firm, this study examines the relationship between a breach incident and changes in the inflicted firm's profitability, perceived risk, and the inflicted firms' information environment transparency. Profitability is measured as reported earnings and analysts' earnings forecasts. Perceived risk is measured as reported stock return volatility and dispersion among analysts' forecasts. Although a number of studies have investigated the stock market reaction surrounding the disclosure of a breach incident to quantify the cost associated with breaches, we argue that there exists information uncertainty and deficiency in the disclosure of the breach incident and stock market reaction surrounding a security breach announcement date may not be the best measure for the cost of security breaches. And research using other complementary measures is warranted. Our preliminary finding suggests that data breaches negatively impact firm profitability, perceived risk and information transparency. Nevertheless, the damage of a breach most likely stems from direct costs such as compensation and litigation costs rather than indirect costs such as tarnished reputation and a decrease in market share and sales. More sophisticated analysts are also found to add value in estimating the real cost of a security breach.

View PDFchevron_right
Data Breaches and the Dilemmas in Notifying Customers
Fabio Bisogni

While the discussion about a federal law on data breach notification is ongoing and a rash of large, costly data breaches has galvanized public interest in the issue, this paper investigates on the phenomenon of data breach notification letters. In case of any data breach a company faces a number of dilemmas on how to inform the customers. The choices that a company makes on the missive content result decisive in having a prompt customers' reaction against identity theft and eventually in shaping the relations between customers and the organization itself. Starting from the various regulations in place in US, the analysis has been performed focusing on the content of over 210 letters sent in US in the first semester of 2014. In particular letters are classified based on elements that can be isolated and analysed, e.g. the level of transparency used in communicating the event causing the breach or the time span between data breach identification and its notification to customers....

View PDFchevron_right
Is Bigger Safer? Analyzing Factors Related to Data Breaches using Publicly Available Information
Ohud Saud Alqahtani

2018

Data breaches have affected hundreds of millions of people. As consumers are exposed to constant risks of data breaches, it makes sense to ask what are the factors that contribute to data breaches such that consumers can make more conscious decisions to reduce risks. For example, suppose a consumer want to open a bank account, shall she use a bigger international bank or a smaller community bank considering risks of data breaches? Existing work on risk or vulnerability analysis typically requires detail internal information of an information system, which is not available to the public. Furthermore organizations typically do not want results of such analysis of their IT systems to be made public. This paper proposes a novel approach that analyzes publicly available information to identify factors contributing to higher data breach risks. This paper also presents an initial study that correlates data breaches in the US from 2005 to 2017 with publicly available information about affec...

View PDFchevron_right

Related topics

  • Psychology
  • Law
  • Internet Law
  • Cybersecurity
  • Social Science Research Network
  • Privacy Law
  • Identity Theft
  • Data Breach
  • Texas Law
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved