Breach notification laws have been a major driver of data protection efforts in U.S. organizations for over a decade. This form of disclosure-based regulation exists in 47 of 50 U.S. states, as well as four other U.S. jurisdictions, but has yet to be adopted as a law of general applicability at the Federal level.
This Essay considers the effects the structure of existing disclosure-based cybersecurity regulation has on the efficacy of U.S. firms' cybersecurity measures. Drawing on previous empirical work and analysis of firm incentives, it suggests two modest conclusions about the most efficacious legal structures: 1) that any disclosure-based regulation should be part of a broader cybersecurity regulatory framework; and 2) that any risk-of-harm threshold triggering notification should bear a presumption in favor of notification. Based on these conclusions, I suggest a preliminary regulatory prescription for policymakers considering adoption or standardization of disclosure-based regulation in the data protection context.