In our digital world, cyberattacks are a growing threat, with personal information of over 400 million users at risk.
To combat this, all 50 US states have laws requiring companies to tell you if your data has been stolen.
However, recent research shows these laws might not be helping much.
Brad Greenwood, a professor at George Mason University, and Paul M. Vaaler from the University of Minnesota, dug into this issue.
They looked at data from the Privacy Rights Clearinghouse, which tracks data breaches, and additional information from the Federal Trade Commission.
Their study spanned from 2005 to 2019 and aimed to see if these breach notification laws (BNLs) made any difference in reducing data breaches or their impact.
Surprisingly, their findings showed that these laws haven’t led to fewer data breaches or less misuse of data afterwards.
Greenwood pointed out that the results were so clear-cut that it was unexpected. It seems these laws haven’t met their goal of making our data safer.
One reason Greenwood suggests for the failure of BNLs is that people have become too used to hearing about cyberattacks and data breaches. This “general numbness” means that companies aren’t feeling enough pressure to improve their cybersecurity to avoid damage to their reputation.
To really push companies towards better cybersecurity, Greenwood believes there needs to be a clear financial benefit for having strong security, or a financial penalty for failing to protect data.
He and Vaaler have a few ideas on how to make this happen:
- Cybersecurity Scores: The Federal Trade Commission could give every large company a cybersecurity score. This would let everyone know how safe a company’s systems are, making it easier to choose who to trust with your data.
- Mandatory Security Standards: The government could require companies to meet certain security standards, like those set by the National Institute of Standards and Technology (NIST). This would ensure every company has at least basic protections in place.
- Legal Changes: It’s tough for people to sue companies over data breaches because the law requires them to prove they were significantly harmed. Changing these laws could make companies more accountable.
Greenwood points out that courts are starting to recognize the effort and time people spend fixing issues from a data breach as a form of harm. This could open up more opportunities for legal action against companies that don’t protect their data well.
The bottom line, according to Greenwood, is that the current way of doing things isn’t stopping cybercriminals. For things to improve, there need to be significant changes to how we handle cybersecurity and protect consumers from data breaches.
Source: George Mason University.
