Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal?

In order to reduce identity theft and consumer loss caused by data breaches, many U.S. states have enacted laws requiring firms to notify individuals when their personal information has been stolen or lost. The effect of these disclosure laws has yet to be rigorously tested, and some claim that they only serve to burden firms and consumers with unnecessary costs. Leveraging the economic analysis of accident law, we examine whether mandatory disclosure policies can ever reduce overall social costs by inducing firms and consumers to take optimal care. Using both analytical and numerical modeling, we show that even though firm costs will be higher under disclosure regimes, firms can be induced to increase their investment in care, which may lower social costs. Moreover, disclosure can induce consumers to increase their level of care, thus lowering their total costs. Finally, we find that the change in social costs are typically increasing in disclosure ‘tax’ (costs imposed on firms due to disclosure laws) and decreasing in consumer redress (compensation paid to consumers by firms). However, when firms compensate consumers for only a small amount of loss, some disclosure tax may be necessary to optimally reduce social costs.