'Do data breach notification laws reduce medical identity theft? Evidence from consumer complaints data' by Aniket Kesari in (2022) Journal of Empirical Legal Studies comments
As the number of data breaches in the United States grows each year, cybersecurity has become an increasingly important policy area. The primary mechanism for regulating and deterring data breaches is the “data breach notification law.” Every US state now has such a law that mandates that certain organizations disclose data breaches to their data subjects. Despite the popularity of these laws, there is relatively little evidence about their effectiveness at deterring breaches, and therefore reducing identity theft. Using medical identity theft panel data collected from the Consumer Financial Protection Bureau, this study implements an augmented synthetic control approach to analyze the effect of California's 2016 data breach notification standards on medical identity theft. This approach suggests that medical identity theft reports in California were reduced by 3.5 reports/100,000 people.