Information availability and data breaches: Data breach notification laws and their effects

In response to evolving cybersecurity challenges, global spending on information security has grown steadily, and could eventually reach a level that is inefficient and unaffordable. A better understanding of new socio-technical-economic complexities around information security is urgently needed, which requires both reconsideration of traditional cybersecurity issues and investigation of new and unexplored research directions. In recent times, interdisciplinary research has elucidated the many economic and behavioural dimensions of security. This research is rooted in the field of Information Security Economics, and primarily addresses disclosure policy and specifically, data breach notification laws. Data breach notification laws require any business that suffers a data breach, or believes that it suffered a data breach, to notify customers about the incident that entails the unauthorised acquisition of unencrypted and computerised personal information. Such laws offer incentives to the party who owes the notification duty to minimise the number of triggering events and also enable the affected third parties to diminish the consequences, namely identity theft, and to make prudent choices in the future. Public policy that seeks to improve the effects of data breach notification legislation must be informed by a comprehensive understanding of the behaviour and incentives of the organisations and individuals involved in the notification flow. Thus, this dissertation poses the fol-lowing research question: What are the effects of the provisions of data breach notification laws on (1) communications issued by breached organisations to their customers; (2) the timing of breach detection and reaction; (3) the number of data breaches reported; and (4) the volume of identity theft stemming from data breaches? As we live in the era of big data, it was possible to access and utilise data on the number of breaches and the number of notifications sent. However, it was also necessary to examine further the types of breaches that occurred as well as the types of communication sent and how individuals perceived them. This analysis allows to develop specific metrics, activating critical thinking about the measurement and the underlying phenomenon. This dissertation examines these notions and answers the research question through one theoretical peer-reviewed paper and four peer-reviewed empirical studies, each addressing a separate aspect related to the implementation of notification mechanisms, specifically data breach notification laws. Chapter one studies the role of information availability in the cybersecurity landscape and describes a theoretical model for evaluating data breach notification laws as a solution to tackle information asymmetries in the digital arena. Chapter two fo-cuses on the tangible tools needed to implement such laws, specifically the notification process itself, and analyses the extent to which each organisation has leeway to ensure compliance with the law. Drawing on the variation in time for data breach detection and notification and letter content analysis, chapter four discusses the necessity to implement superseding law in order to bring coherence to the diverse approaches used in different geographical areas. Chapter five then addresses underreporting of data breaches. Finally, chapter six explores the relationship between data breaches and identity theft. The dissertation concludes by reflecting on the shared elements across the studies. The conclusion reflects on the role of disclosure policies in the information security arena and on the implications, given the results of these studies, for European data breach notification policies.