A Framework for the Evaluation of State Breach Reporting Laws

This paper develops a framework for evaluating the effectiveness of cyber security breach reporting laws across states. In doing so, trends and correlations in state reporting along with other relevant factors are identified using readily available data. This paper addresses two critical questions in the assessment of breach reporting legislation: 1) How does the rate of reporting security breaches across states compare with the rate of reporting of security threats to computer operating systems?, and 2) What factors other than the implementation of breach reporting legislation effect the rate of reporting security breaches across states? The framework developed in this paper can be applied in future analyses to evaluate the effectiveness of breach reporting legislation and can assist in pinpointing legislative weaknesses across states. Limitations in the availability of data inspired the generation of a number of recommendations for the improvement of breach reporting law evaluation. First, more time is needed to collect data, as most laws have been in place for two or fewer years. Second, each state should have a central database that records all reported cyber security breaches. This will allow for greater visibility to the public and would make for greater accessibility of data for both consumers and researchers. Finally, further research efforts should be conducted on the topic of OS security vulnerability patch rates and their relevance to the actual, realized cyber threat level of operating systems.