Policy Framework for Data Breaches

Data breaches and firms´ responses to them have been in the headlines for the past few years. They seem as inevitable as death and taxes. The recent massive breach at JP Morgan - a bank with high security standards - is a worrisome continuation of the trend. Although some breaches are widely covered in newspapers, many occur at small firms that get little attention. To put it in perspective, according to Privacy Clearinghouse (www.privacy rights.org), more than 4,400 data breaches have been recorded in the US since 2005, exposing nearly one billion records. Why are we seeing so many breaches? Why aren´t firms protecting their data more aggressively? And, what can we do about it? These questions aren´t new. California passed the data breach notification law in 2003. However, it seems that, in the US, neither firms nor policymakers have made much progress. Therefore, it´s a good time to revisit some economic and policy fundamentals of data breaches. My goal here is to offer a broad framework to highlight various tradeoffs and the intuition behind them.