Cracked Shield Over Cityscape: Data Breach Vulnerability

Data Breach Disclosure Laws: Do They Really Protect Us?

Author's portrait.
Jordan Keane in Law & Justice August 2025 4 min read.

"A critical look at whether data breach disclosure laws are effective in driving cybersecurity improvements."


In our increasingly digital world, data breaches have become a pervasive threat, casting a long shadow over individuals and organizations alike. News headlines regularly scream about massive data leaks, compromised personal information, and the potential for identity theft. In response to this growing menace, many governments have enacted data breach disclosure laws (DBDLs), designed to compel companies to notify affected individuals when their personal data has been compromised.

The core idea behind these laws is simple: transparency promotes accountability. By requiring companies to disclose breaches, lawmakers hope to incentivize them to invest more in cybersecurity and to take better care of the data they hold. The expectation is that fear of reputational damage and potential customer backlash will drive firms to improve their security practices. But do these laws actually work as intended? Or are they just a well-intentioned but ultimately ineffective measure in the complex landscape of cybersecurity?

A new study casts doubt on the efficacy of DBDLs, suggesting that they may not be the powerful tool for enhancing cybersecurity that policymakers had hoped. By analyzing a large-scale data breach at a major US retailer, the research finds little evidence that these laws lead to significant changes in firm behavior or a reduction in future breaches. This challenges the conventional wisdom and raises important questions about how best to protect consumers in the digital age.

Do Data Breach Disclosure Laws Really Change Anything?

Cracked Shield Over Cityscape: Data Breach Vulnerability

The study begins by outlining the presumed mechanism through which DBDLs are expected to work. The theory goes like this: When a company experiences a data breach, it suffers a loss of reputation. Customers, concerned about the security of their data, may choose to take their business elsewhere. This potential revenue loss then motivates the company to invest more in cybersecurity to prevent future breaches. However, the study questions whether this mechanism actually holds in practice.

To test this, the researchers examined a major data breach at Home Depot in 2014. This breach, which compromised the payment card data of 56 million customers, was one of the largest retail breaches in history. The researchers analyzed sales data from 302 Home Depot stores over a 20-week period around the time of the breach disclosure to see if there was any noticeable decline in revenue.

  • The researchers looked at stores located near competitors, assuming customers could easily switch.
  • They considered the size of the stores, reasoning that larger stores might have loyal customers less likely to change.
  • They examined the effect of the breach both immediately after disclosure and in the weeks that followed.
Contrary to expectations, the analysis revealed no significant evidence of a decline in revenue at Home Depot stores after the data breach disclosure. Whether they looked at all stores, or just those in competitive areas, there was no statistically significant drop in sales. This suggests that the presumed mechanism through which DBDLs are supposed to work may not be as effective as previously believed.

Rethinking Data Protection

These findings challenge the conventional wisdom surrounding data breach disclosure laws and raise important questions about their effectiveness. While transparency and accountability are undoubtedly important goals, it appears that simply requiring companies to disclose breaches may not be enough to drive meaningful improvements in cybersecurity. Policymakers may need to consider alternative or supplementary strategies, such as stronger ex-ante regulations, incentives for proactive security investments, or stronger legal frameworks to hold firms accountable.

About this Article -

This article was crafted using a human-AI hybrid and collaborative approach. AI assisted our team with initial drafting, research insights, identifying key questions, and image generation. Our human editors guided topic selection, defined the angle, structured the content, ensured factual accuracy and relevance, refined the tone, and conducted thorough editing to deliver helpful, high-quality information.See our About page for more information.

This article is based on research published under:

DOI-LINK: https://doi.org/10.48550/arXiv.2406.15215,

Title: Sound And Fury, Signifying Nothing? Impact Of Data Breach Disclosure Laws

Subject: cs.cr cs.cy econ.gn q-fin.ec

Authors: Muhammad Zia Hydari, Yangfan Liang, Rahul Telang

Published: 21-06-2024

Everything You Need To Know

1

What are Data Breach Disclosure Laws (DBDLs) designed to achieve?

Data Breach Disclosure Laws (DBDLs) are enacted to compel companies to notify individuals when their personal data has been compromised in a data breach. The core idea is that this transparency promotes accountability. The expectation is that fear of reputational damage and potential customer backlash will drive firms to improve their security practices and invest more in cybersecurity.

2

Why is the effectiveness of Data Breach Disclosure Laws (DBDLs) being questioned?

A study suggests that DBDLs may not be as effective as policymakers had hoped. The study found little evidence that these laws lead to significant changes in firm behavior or a reduction in future breaches. This finding challenges the conventional wisdom that DBDLs are a powerful tool for enhancing cybersecurity.

3

How did the study analyze the impact of a data breach on a specific company?

The researchers examined a major data breach at Home Depot in 2014, which compromised the payment card data of 56 million customers. They analyzed sales data from 302 Home Depot stores over a 20-week period around the time of the breach disclosure to see if there was any noticeable decline in revenue. They looked at stores located near competitors and considered the size of the stores.

4

What were the findings of the Home Depot data breach analysis concerning Data Breach Disclosure Laws (DBDLs)?

The analysis revealed no significant evidence of a decline in revenue at Home Depot stores after the data breach disclosure. Whether they looked at all stores, or just those in competitive areas, there was no statistically significant drop in sales. This suggests that the presumed mechanism through which DBDLs are supposed to work may not be as effective as previously believed, questioning the laws' impact on consumer behavior and company practices.

5

What alternative strategies are suggested for improving data protection beyond Data Breach Disclosure Laws (DBDLs)?

The findings suggest that simply requiring companies to disclose breaches may not be enough to drive meaningful improvements in cybersecurity. Policymakers may need to consider alternative or supplementary strategies, such as stronger ex-ante regulations, incentives for proactive security investments, or stronger legal frameworks to hold firms accountable. These alternatives aim to provide more comprehensive protection and encourage better security practices.

Newsletter Subscribe

Subscribe to get the latest articles and insights directly in your inbox.