A new Carnegie Mellon University study finds that data-breach-disclosure laws—which require organizations to reveal when personal information on their servers has been compromised—have been ineffective at reducing identity theft.
Carnegie Mellon researchers used numbers from the U.S. Federal Trade Commission to evaluate whether such laws have deterred identity theft. They found “no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce,” although they noted that the data were imperfect. The authors say that theirs is the first known attempt to empirically measure the effectiveness of these state laws.
The study’s findings may be of particular interest to universities and educational software vendors, which have been responsible for scores of security breaches of personal information and have been criticized for not disclosing their breaches soon enough.—Catherine Rampell
