The legal position and societal effects of security breach notification laws

More Info


This thesis scrutinizes the proportionality and describes the subsidiarity of proposals for security breach notification laws (hereafter: SBNLs) in the European Union. An SBNL obliges that a security breach within a company or government must be notified to affected customers and a supervisory authority. A law stands the proportionality test if the requirements of effectiveness and necessity are met. Effectiveness means that there is a causal relationship between the measure and the aim pursued. Necessity means that no less restrictive policy options are available that achieve the same aims. The closely linked subsidiarity test assesses the necessity of the European Union approach: the question whether the aims of the SBNL and cybersecurity cannot be achieved sufficiently by the Member States individually. Subsidiarity is to a great extent a political question and consequently described more limitedly. Why these tests? Proportionality and subsidiarity are fundamental principles of EU law. They demand the European legislature not to go beyond what is necessary to attain the objectives in the Treaties and to only adopt measures if a European Union approach has added value. The European Court of Justice scrutinizes whether European legislation is in accordance with these principles. The laws that have been assessed are Article 31 of the proposed Data Protection Regulation (hereafter: PDPR) and Article 14 of the proposed Cybersecurity Directive (hereafter: PCD). Article 31 PDPR concerns a single uniform personal data breach notification obligation. A personal data breach entails the unauthorized access to and/or theft of personal data. Article 14 PCD concerns the harmonization of national (significant) loss of integrity breach notification obligations. A loss of integrity concerns the loss of control over computer systems. A personal data breach always entails a loss of integrity, but a loss of integrity can also occur without the loss of personal data. The aim of the SBNL in the PDPR is “to ensure that individuals are in control of their personal data and trust the digital environment” in order to “increase the effectiveness of the fundamental right to data protection”. The aim of the SBNL in the PCD is: “to create a culture of risk management and improve the sharing of information between the private and public sectors.” The subsidiarity question covers cybersecurity in general and SBNLs in particular. The Commission argues that a European cybersecurity approach is necessary because of the cross border aspect of the Internet, the necessity of a uniform secure Internet for the Single Market and the protection of fundamental rights. Indeed, there is European cybersecurity legislation and a European cybersecurity policy framework. Regarding the PDPR and the PCD in particular, the Commission argues that there is a need to harmonize national initiatives in order to create a level playing field, legal certainty and lower administrative burdens for companies to notify. A literature review in this thesis shows that the United States aims to replace a state level SBNLs by a federal SBNL. The obligation to comply simultaneously with multiple SBNLs caused significant administrative burdens for companies. This strengthens the conception that SBNLs can better be achieved at a European level, although this remains a political consideration. From an apolitical point of view, this thesis did not find a convincing argument about the inappropriateness of a European approach regarding cybersecurity and SBNLs. The proportionality test contains two elements. The first element of the proportionality test, the effectiveness test, is performed more extensively in this thesis than the Commission did in its impact assessment of both the PDPR and the PCD. Legal scholars and the European legislator, usually assess the first aspect of proportionality limitedly. In the PDPR and PCD, the Commission did not mention in what way the SBNL is suitable to achieve the aim “to ensure that individuals are in control of their personal data and thrust in the digital environment” and “to create a culture of risk management and improvement of information sharing between private and public parties”. This is a deficiency in the analysis of legislation. This thesis challenges the aforementioned assumption that determination of causality is straightforward. This is done by a more substantive assessment of the proportionality test. This thesis contributes an empirical study from a security economics perspective, in order to substantively review (the complexity of) effects of SBNLs. Do the (expected) effects of SBNLs match the aims it should attain according to the European proposals? And are these effects desirable? Legal impact assessments can benefit from this perspective, because knowledge about the effectiveness of the law will be enhanced. To structure the empirical study, a first and second order effect of SBNLs have been distinguished. The first order effect is the effect of (characteristics of) SBNLs on the amount of breach notifications. Generating notifications is not one of the final aims of the proposed legislation, but a means to achieve the second order effect. The second order effect includes the positive and negative effects of the law on society. A literature review is conducted to provide an overview of what is already known concerning those two effects. The quantitative analysis systematically assesses the first order effect of American SBNLs by a longitudinal dataset containing security breach notifications. The subsequent qualitative analysis reviews the perception of Dutch security experts and managers regarding the first and second order effect and outcomes of the quantitative analysis. The results can substantiate the first element of the Commissions’ proportionality test of European SBNLs: This study proves the first order effect empirically by means of analyzing American data. The laws have an effect on the amount of breach notifications. The effect is relatively large: a notification increase of at least 50% can be attributed to the law, by a fixed effects regression analyzing differences in breach notification before and after the introduction of the law. The database is partly constructed by underlying sources that only register officially notified breaches, which can explain this high relative increase. From an absolute perspective, the effect is minor: less than 0.05% of the companies notified a security breach in America in the eight-year period that was researched. To compare: a recent study in the United Kingdom published that 88% of the companies surveyed had experienced data theft in 2009. The low absolute number of breaches could be explained by the incompleteness of the dataset, high compliance costs for a company due to reputation damage and unawareness of breaches. The introduction of the law thus has a structural first order effect, at least in the database of known security breaches. It is however ambiguous which aspects of the law cause this effect. Literature review and qualitative analysis showed that enforced sanctions generate compliance with the law and that reputation damage is a major driver for non-compliance. Confidential treatment of the notification and benefits from information sharing about security breaches are perceived as minor incentives for compliance. The quantitative analysis only confirmed that some American laws qualified as strict by American Attorneys cause an increase in notifications, but it is ambiguous what exactly makes these laws strict. The literature review and the qualitative study demonstrated several positive second order effects perceived in literature and by security managers and experts, such as increased investments in security, fostered cooperation between companies (literature only), increased awareness of consumers of security breaches and faster risk mitigation. The first two effects match with the aim of the PCD to 1.) create a culture of risk management and 2.) enhance information exchange between the private and public sectors respectively. The last two effects correspond with the aim of the PDPR to enhance personal data control of individuals. However, the positive effects can be nuanced. The security managers interviewed already shared security information with competitors, and did not see an incentive for cooperation with the government following from a security breach notification, because they did not value the government as a center of expertise. Moreover, a security expert challenged the effect of increased investments in security because the law provides an incentive to notify, not to improve security practices. Accepting the ‘risk’ of a notification might be less expensive than improving security practices in order to avoid notifications. This is however not confirmed in literature review or by other qualitative analysis, which implicates that the risk of not providing incentives to improve security practices at all must be perceived as low. Lastly, an increased number of security breach notifications might result in an overload of information that could also result in disinterest and a notification fatigue instead of enhanced awareness and risk mitigation. This overload is not a big treat given the current low amount of notified security breaches. For instance, in America, about 600 million records were breached in the eight-year period observed. This would entail that, on average, an American citizen would be notified twice in eight year. Hence, the second order effects in literature and qualitative analysis, although they are perceptions that can be nuanced, do match the objectives pursued in legislation. But, the objectives are vaguely defined and while their attainment could constitute effectiveness in the legal sense, the question remains what makes an SBNL effective and when an SBNL is effective. Moreover, there are also additional negative effects associated with SBNL in literature and qualitative analysis, such as reputational costs and maintenance costs. The second element of the proportionality test concerns the question whether there are less restrictive equally effective measures available. The SBNL can restrict companies, because it infringes the fundamental freedom to conduct a business by imposing administrative, compliance- and reputational costs. This study offers two observations concerning this infringement. First, the freedom to conduct business is more infringed than the Commission states. The cost assessment of the Commission only included the costs of making a notification, which are estimated between 125 euro and 20000 euro per notification. But, literature and qualitative analysis showed that there are costs that the Commission did not take into account, such as the reputation damage incurred (estimations up to 2% of a company’s turnover) and the costs of processing and enforcement of breach notifications. The cost estimation of the Commission thus is undervalued compared with the total societal costs of an SBNL. Second, the coexistence of the PDPR and the PCD unnecessarily infringes the freedom to provide a business as it imposes unnecessary costs for companies. In many cases, a breach thus should be notified twice to both the European supervisory authority and to the competent national authority, because the scope of personal data loss and loss of integrity overlap. Second, the proposals are regulated by a different legal instrument and emit different signals. The confidential treatment in the PCD will not function properly if simultaneously companies are forced to publicly disclose the same information in the PDPR. To conclude, the fuzziness of the aims and the complexity of measuring effects hamper the determination of a reasonable expectation of causality between the measure and the aims pursued. The Commission sets aims that are fuzzy and hard to measure, and does not specify how these goals will be achieved through the adoptions of SBNLs. Likewise, the empirical measurement of effects in part ? showed that it is complex to pinpoint effects of SBNLs. Moreover, the Commission undervalued societal costs and adverse effects. In my view, in the current situation, a reasonable expectation of effectiveness is not demonstrated sufficiently. In the theoretically desired situation, the goals are clear and measurable. The law is effective because the measurable aims are achieved by the measure. But, still, effectiveness is not simply attaining aims. Even if the causal relation between the measure and its aims can be proved in a narrow sense, the question remains whether the achievement of these aims is effective. From a security economics perspective, it can be argued that the law is effective if the revenues of positive effects are higher than the societal costs of negative effects. This requires an accurate empirical measurement of these effects, initiated in part ?, and a quantification of these effects. Unfortunately, this approach towards effectiveness does not cover non-economic, non-measurable aims such as the protection of fundamental rights. The protection of fundamental rights is not always ‘efficient’ and can certainly not always be quantified, but European legislation must remain within the boundaries of fundamental rights. Moreover, the complexity of the legal interferences in the field of cybersecurity makes it impossible to provide an exhaustive balance sheet of all (expected) effects. A security economics perspective would not be the perfect means to define effectiveness, because some aims are not measurable and expected effects are complex. Both a legal and an economic approach do not provide an optimal outcome for the definition of ‘effectiveness’. There is no uniformity of what makes a law effective. Thus, still the effectiveness question remains. What is needed to determine the effectiveness of SBNLs? Who may decide when a law is effective? In a democracy, we all should decide. More concrete: the European Commission, Parliament and Council state ex ante in the ordinary legislative procedure the aims of the law. The European Court of Justice decides ex post whether the law is effective. Thus, effectiveness in redefined, as legal and economic approaches towards effectiveness are troublesome. This definition must be regarded as a starting point for further research on interpreting effectiveness of the law. "Effectiveness is the causality between a legislation and its aims defined by a democratic decision making process where as much information as possible about (potential) positive and negative effects is provided." Hence, taking this definition into account, improving information about potential positive and negative effects is the key tool to enhance effectiveness of the law and correctly assess its necessity. The executed empirical analysis in this thesis has provided knowledge about the effects of SBNLs that can be used by the Commission. Increased availability of information about societal impact (expectations) enhances decision making of the legislature ex ante and the scrutiny of the Court ex post that determine the proportionality of cybersecurity laws. The Commission, which has the power of initiative, should invest to provide this information. To conclude, additional information about effects of legislation on society will improve the quality of draft legislation and the judicial decision about proportionality. For example, information about the adverse reputation damage on companies, demonstrated in this thesis, will play a vital role when judging about the infringement on the freedom to conduct business. Additional information about effects will not be decisive in a judicial decision, since also non measurable effects need to be balanced and (expected) effects have a certain margin of error. The proportionality test as such must be seen in relation to these inherent flaws within measuring effectiveness of the law on society. Often, causality between the measure and the aim can and will not be ‘proven’ scientifically by the legislature and the Court. Nevertheless, the proportionality principle has been a corner stone of European Law to analyze the effectiveness and necessity of legislation. Further enhancement of the execution of this principle by improving information about societal effects increases the democratic legitimacy of European Union law. Therefore, this thesis recommends the European Commission to enhance information about effects. This can be done to improve the measurement of (the expectation of) effects before and after the adoption of the law. These recommendations can be used for improving European laws in general and the PDPR and PCD in particular. Before the adoption of the law, a reasonable expectation of effectiveness should be provided by the Commission. This entails the operationalization of measurable aims, the separation of non-measurable aims and a substantiated expectation of causality between the law and the aims. This thesis recommends to operationalize aims that are in essence measurable. For instance, the perception of personal data control by European citizens can be measured. Another option is to use a proxy. The amount of personal data security breaches serves as a proxy for the aim of personal data control. Fundamental rights that are associated with the aims of the legislation, such as the freedom of speech and the freedom of expression, have an intrinsic value, which cannot be operationalized. These important non measurable aims should be included separately as informative input for a democratic legislative decision making process. An effective consideration of the democratic decision making process necessitates an extensive overview of potential negative effects as well. To provide a reasonable expectation of effectiveness, an extensive study of the expected effects is recommended by means of academic literature, secondary available comparative (quantitative) analysis and expert interviews. This threefold approach, adhered in this thesis, has enhanced the knowledge about expected effects and requires further development and a wider application. As a result, a conceptual framework clarifies the effects to enhance the decision maker’s information. Before the introduction of the law, the increased information about expected positive and negative effects and non-measurable aims allows for a more enhanced discussion about the desirability of the legislation. Ideally, the expected effects of the measurable part of the legislation will be quantified in order to clarify and structure the discussion about the desirability of the law. Consequently, the discussion solely concerns normative choices about the balance between non quantifiable effects with the sum of the measurable positive effects and negative effects. After the introduction of the law, the central registration of breach notifications, surveys about the perception of the effectiveness of the law and the registration of relevant proxies are key tools to empirically measure effectiveness.