Master Thesis Bernold Nieuwesteeg August 2013

The Legal Position and Societal Effects of Security Breach Notification Laws

TheLegalPositionandSocietalEffectsofSecurityBreachNotificationLaws

MasterThesisAuthor:B.F.H.NieuwesteegBScLLB

Email:Bernoldnieuwesteeg@gmail.comAugust2013

FacultyofLaw,EconomicsandGovernanceLLMEuropeanLawGraduationcommitteeGraduationsupervisor:Dr.S.A.deVriesAssociateProfessorattheEuropaInstitute;JeanMonnetChairinEUSingleMarketLaw&FundamentalRightsSecondreader:Dr.A.vandenBrinkAssociateProfessor&DirectorattheEuropaInstitute

FacultyofTechnology,PolicyandManagementMScSystemsEngineering,PolicyAnalysisandManagementGraduationcommitteeChairman:Prof.Dr.M.J.G.vanEetenProfessorGovernanceofCybersecurity1stsupervisor:Dr.ir.B.M.SteenhuisenAssistantProfessorattheresearchgroupPolicy,Organization,LawandGaming2ndsupervisor:Dr.ir.J.vandenBergAssociateProfessorattheresearchgroupInformationandCommunicationTechnology

ThisthesisiswritteninCambria.CambriawasdesignedbyDutchtypographerJelle

Bosmain2004,withSteveMattesonandRobinNicholas.Itisspecificallydesignedtobe

estheticallypleasingatrelativelysmallsizes,whichmightfacilitatethereadertoachieve

enhancedthoughtexperiments.

©2004Cambria:AscenderCorporation

v

Executivesummary

This thesis scrutinizes theproportionality anddescribes the subsidiarityof proposalsforsecuritybreachnotificationlaws(hereafter:SBNLs)intheEuropeanUnion.AnSBNLobliges that a security breach within a company or government must be notified toaffectedcustomersandasupervisoryauthority.Alawstandstheproportionalitytestiftherequirementsofeffectivenessandnecessityaremet.1Effectivenessmeansthatthereisacausalrelationshipbetweenthemeasureandtheaimpursued.Necessitymeansthatnolessrestrictivepolicyoptionsareavailablethatachievethesameaims.2Thecloselylinked subsidiarity test assesses the necessity of the EuropeanUnion approach: thequestion whether the aims of the SBNL and cybersecurity cannot be achievedsufficiently by the Member States individually.3Subsidiarity is to a great extent apoliticalquestionandconsequentlydescribedmorelimitedly.Whythesetests?ProportionalityandsubsidiarityarefundamentalprinciplesofEUlaw.TheydemandtheEuropeanlegislaturenottogobeyondwhatisnecessarytoattaintheobjectivesintheTreatiesandtoonlyadoptmeasuresifaEuropeanUnionapproachhasaddedvalue.TheEuropeanCourtofJusticescrutinizeswhetherEuropeanlegislationisinaccordancewiththeseprinciples.The laws that have been assessed are Article 31 of the proposed Data ProtectionRegulation (hereafter: PDPR) and Article 14 of the proposed Cybersecurity Directive(hereafter: PCD).4Article 31 PDPR concerns a single uniform personal data breachnotificationobligation.Apersonaldatabreachentailstheunauthorizedaccesstoand/ortheft of personal data. Article 14 PCD concerns the harmonization of national(significant)lossofintegritybreachnotificationobligations.5Alossofintegrityconcernsthelossofcontrolovercomputersystems.Apersonaldatabreachalwaysentailsalossofintegrity,butalossofintegritycanalsooccurwithoutthelossofpersonaldata.Theaim of the SBNL in the PDPR is “to ensure that individuals are in control of their

1JoinedCasesC‐92/09andC‐93/09VolkerundMarkusScheckeandEifert[2010]ECRI‐0000.2DamianChalmers,GarethDaviesandGiorgioMontiEuropeanUnionLaw(secondedition,CambridgeUniversityPress2010)362.Thereisalsoathirdcriterion,proportionalitystrictusensu,whichissometimesmentionedseparately,seesection3.2.1ofthisresearch.3SeealsoProtocol(No2)ontheApplicationofthePrinciplesofSubsidiarityandProportionality[2007]OJC‐310/207;PaulGraigandGráinnedeBúrca,EULaw‐TextCasesandMaterials(fifthedition,OxfordUniversityPress2011)95.4EuropeanCommission‘ProposalforaRegulationontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata’(ProposedDataProtectionRegulation)COM(2012)11final;EuropeanCommission‘ProposalforaDirectiveoftheEuropeanParliamentandoftheCouncilconcerningmeasurestoensureahighcommonlevelofnetworkandinformationsecurityacrosstheUnion’(ProposedCybersecurityDirective)COM(2013)48final.5ADutchinitiativeforanSBNLfocusingonlossofintegritywillbediscussedextensivelyinthisthesis.

vi

personaldataandtrustthedigitalenvironment”6inorderto“increasetheeffectivenessof the fundamental right to data protection”.7The aim of the SBNL in the PCD is: “tocreatea cultureof riskmanagementand improve the sharingof informationbetweentheprivateandpublicsectors.”8ThesubsidiarityquestioncoverscybersecurityingeneralandSBNLsinparticular.TheCommissionarguesthataEuropeancybersecurityapproachisnecessarybecauseofthecrossborderaspectof the Internet, thenecessityofauniformsecure Internet for theSingle Market and the protection of fundamental rights. Indeed, there is EuropeancybersecuritylegislationandaEuropeancybersecuritypolicyframework.RegardingthePDPR and the PCD in particular, the Commission argues that there is a need toharmonizenationalinitiativesinordertocreatealevelplayingfield,legalcertaintyandloweradministrativeburdensforcompaniestonotify.AliteraturereviewinthisthesisshowsthattheUnitedStatesaimstoreplaceastatelevelSBNLsbyafederalSBNL.Theobligation to comply simultaneously with multiple SBNLs caused significantadministrativeburdensforcompanies.ThisstrengthenstheconceptionthatSBNLscanbetterbeachievedataEuropeanlevel,althoughthisremainsapoliticalconsideration.Fromanapoliticalpointofview,thisthesisdidnotfindaconvincingargumentabouttheinappropriatenessofaEuropeanapproachregardingcybersecurityandSBNLs.Theproportionalitytestcontainstwoelements.Thefirstelementoftheproportionalitytest, the effectiveness test, is performed more extensively in this thesis than theCommissiondidinitsimpactassessmentofboththePDPRandthePCD.LegalscholarsandtheEuropeanlegislator,usuallyassessthefirstaspectofproportionalitylimitedly.9InthePDPRandPCD,theCommissiondidnotmentioninwhatwaytheSBNLissuitabletoachievetheaim“toensurethatindividualsareincontroloftheirpersonaldataandthrust in the digital environment” and “to create a culture of risk management andimprovement of information sharing between private and public parties”. This is adeficiencyintheanalysisoflegislation.Thisthesischallengestheaforementionedassumptionthatdeterminationofcausalityisstraightforward.This isdonebyamoresubstantiveassessmentof theproportionalitytest.Thisthesiscontributesanempiricalstudyfromasecurityeconomicsperspective,inordertosubstantivelyreview(thecomplexityof)effectsofSBNLs.Dothe(expected)effectsofSBNLsmatchtheaimsitshouldattainaccordingtotheEuropeanproposals?

6EuropeanCommission‘ImpactAssessmentaccompanying(proposed)RegulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata’(ImpactAssessmentoftheDataProtectionRegulation)SEC(2012)72final,section5.3.1.7Ibid.8EuropeanCommission‘ImpactAssessmentaccompanyingtheProposalforaDirectiveoftheEuropeanParliamentandoftheCouncilConcerningmeasurestoensureahighlevelofnetworkandinformationsecurityacrosstheUnion’(ImpactassessmentoftheCybersecurityDirective)SWD(2013)32final,section6.1.9SeeforinstanceJanHJans,‘ProportionalityRevisited’(2000)27(3)LegalIssuesofEconomicIntegration239,240andsection1.2ofthisresearch.

vii

And are these effects desirable? Legal impact assessments can benefit from thisperspective,becauseknowledgeabouttheeffectivenessofthelawwillbeenhanced.To structure the empirical study, a first and second order effect of SBNLs have beendistinguished. The first order effect is the effect of (characteristics of) SBNLs on theamountofbreachnotifications.Generatingnotifications isnotoneof the finalaimsofthe proposed legislation, but ameans to achieve the second order effect. The secondordereffectincludesthepositiveandnegativeeffectsofthelawonsociety.Aliteraturereviewisconductedtoprovideanoverviewofwhatisalreadyknownconcerningthosetwo effects. The quantitative analysis systematically assesses the first order effect ofAmericanSBNLsbyalongitudinaldatasetcontainingsecuritybreachnotifications.Thesubsequent qualitative analysis reviews the perception of Dutch security experts andmanagersregardingthefirstandsecondordereffectandoutcomesofthequantitativeanalysis.TheresultscansubstantiatethefirstelementoftheCommissions’proportionalitytestofEuropeanSBNLs:ThisstudyprovesthefirstordereffectempiricallybymeansofanalyzingAmericandata.The lawshave an effecton the amountof breachnotifications.The effect is relativelylarge: a notification increase of at least 50% can be attributed to the law, by a fixedeffects regression analyzing differences in breach notification before and after theintroductionofthe law.Thedatabase ispartlyconstructedbyunderlyingsourcesthatonly registerofficiallynotifiedbreaches,whichcanexplain thishigh relative increase.From an absolute perspective, the effect isminor: less than 0.05% of the companiesnotifiedasecuritybreach inAmerica in theeight‐yearperiodthatwasresearched.Tocompare:a recentstudy in theUnitedKingdompublished that88%of thecompaniessurveyed had experienced data theft in 2009. The low absolute number of breachescould be explained by the incompleteness of the dataset, high compliance costs for acompanyduetoreputationdamageandunawarenessofbreaches.Theintroductionofthelawthushasastructuralfirstordereffect,atleastinthedatabaseofknownsecuritybreaches.Itishoweverambiguouswhichaspectsofthelawcausethiseffect.Literaturereview and qualitative analysis showed that enforced sanctions generate compliancewith the law and that reputation damage is a major driver for non‐compliance.Confidential treatmentof thenotificationandbenefits frominformationsharingaboutsecurity breaches are perceived asminor incentives for compliance. The quantitativeanalysis only confirmed that some American laws qualified as strict by AmericanAttorneys cause an increase in notifications, but it is ambiguous what exactlymakestheselawsstrict.The literature review and the qualitative study demonstrated several positive secondorder effects perceived in literature and by security managers and experts, such asincreasedinvestmentsinsecurity,fosteredcooperationbetweencompanies(literatureonly),increasedawarenessofconsumersofsecuritybreachesandfasterriskmitigation.The first two effects match with the aim of the PCD to 1.) create a culture of riskmanagement and 2.) enhance information exchange between the private and publicsectors respectively. The last two effects correspond with the aim of the PDPR to

viii

enhance personal data control of individuals. However, the positive effects can benuanced.Thesecuritymanagersinterviewedalreadysharedsecurity informationwithcompetitors, and did not see an incentive for cooperation with the governmentfollowing from a security breach notification, because they did not value thegovernmentasacenterofexpertise.Moreover,asecurityexpertchallengedtheeffectofincreasedinvestmentsinsecuritybecausethelawprovidesanincentivetonotify,nottoimprovesecuritypractices.Acceptingthe‘risk’ofanotificationmightbelessexpensivethan improving securitypractices inorder to avoidnotifications.This is howevernotconfirmedinliteraturerevieworbyotherqualitativeanalysis,whichimplicatesthattheriskofnotprovidingincentivestoimprovesecuritypracticesatallmustbeperceivedaslow. Lastly, an increased number of security breach notifications might result in anoverloadof information that could also result in disinterest and a notification fatigueinstead of enhanced awareness and riskmitigation.10This overload is not a big treatgiven the current low amount of notified security breaches. For instance, in America,about 600 million records were breached in the eight‐year period observed.11Thiswouldentailthat,onaverage,anAmericancitizenwouldbenotifiedtwiceineightyear.Hence,thesecondordereffectsinliteratureandqualitativeanalysis,althoughtheyareperceptionsthatcanbenuanced,domatchtheobjectivespursuedinlegislation.But,theobjectivesarevaguelydefinedandwhiletheirattainmentcouldconstituteeffectivenessin the legal sense, the question remainswhatmakes an SBNL effective andwhen anSBNL is effective.Moreover, there are also additionalnegative effects associatedwithSBNLinliteratureandqualitativeanalysis,suchasreputationalcostsandmaintenancecosts.TheeffectsofSBNLsandtheirrelationwiththeaimsoflegislationaremappedintable1.Effects Order Lit Qual Quan Relationwith

legislationEnforcedsanctions

1st

V V X Reputationaldamage V V ‐ Appropriateness V V ‐ Benefitsinf.sharing V V ‐ Confidentialtreatment X V ‐ Overallfirstordereffect ‐ V V Fasterriskmitigation

2nd

(positive)

V V ‐ AimPDPR:enhancepersonaldatacontrolofindividuals.

Increasedawarenessconsumers

V V ‐ AimPDPR:trustinthedigitalenvironment

Increasedsecurityinvestments

V V ‐ AimPCD:createacultureofriskmanagement

Fosteredcooperation V X ‐ AimPCD:enhance

10ImpactassessmentPDPR(n6),section14.3.1under4).11ThethreelargestbreachesintheUnitedStatesdatabasecontain300millionrecords,seechapter5.

ix

informationexchangebetweentheprivateandpublicsectors

Reputationalcostsforcompanies

2nd(negative)

V V ‐

Compliancecostsforcompanies

V V ‐ (Only)compliancecostsareestimatedbytheCommission

MaintenanceandprocessingcostsforMemberStates

V ‐ ‐

Costsofincreasedinvestmentsandcooperationforcompanies

V ‐ ‐

Notificationfatigueforconsumers

V ‐ ‐ ‐AimPDPR:enhancepersonaldatacontrolofindividuals.‐AimPDPR:trustinthedigitalenvironment

Incentivetonotify,nottoimprovesecurityforcompanies

‐ V ‐ AimPCD:createacultureofriskmanagement

Table1:effectsofSBNLs(V=provedormentioned;X=disproved;“‐“=notresearched)

Thesecondelementoftheproportionalitytestconcernsthequestionwhetherthereareless restrictiveequallyeffectivemeasuresavailable.TheSBNLcan restrict companies,because it infringes the fundamental freedom to conduct a business by imposingadministrative,compliance‐andreputationalcosts.12Thisstudyofferstwoobservationsconcerningthisinfringement.First, the freedom to conduct business ismore infringed than the Commission states.ThecostassessmentoftheCommissiononlyincludedthecostsofmakinganotification,whichareestimatedbetween125euroand20000europernotification.But,literatureandqualitativeanalysisshowedthat therearecosts that theCommissiondidnot takeinto account, such as the reputation damage incurred (estimations up to 2% of acompany’s turnover) and the costs of processing and enforcement of breachnotifications.ThecostestimationoftheCommissionthusisundervaluedcomparedwiththetotalsocietalcostsofanSBNL.Second,thecoexistenceofthePDPRandthePCDunnecessarilyinfringesthefreedomtoprovide a business as it imposes unnecessary costs for companies. In many cases, abreachthusshouldbenotifiedtwicetoboththeEuropeansupervisoryauthorityandto12SeealsowithinthecontextofCaseC‐70/10ScarletExtendedvSABAM[2011]ECRI‐0000,discussedinsection3.2.2ofthisresearch.Thefreedomtoconductbusinesscanbeinfringedbyimposingunnecessaryadministrativeburdens.

x

the competentnational authority, because the scopeofpersonaldata loss and lossofintegrityoverlap.13Second, theproposalsareregulatedbyadifferent legal instrumentand emit different signals. The confidential treatment in the PCD will not functionproperly if simultaneously companies are forced to publicly disclose the sameinformationinthePDPR.Toconclude,thefuzzinessoftheaimsandthecomplexityofmeasuringeffectshamperthedeterminationofareasonableexpectationofcausalitybetweenthemeasureandtheaimspursued.TheCommissionsetsaimsthatarefuzzyandhardtomeasure,anddoesnotspecifyhowthesegoalswillbeachievedthroughtheadoptionsofSBNLs.Likewise,the empiricalmeasurement of effects in part β showed that it is complex to pinpointeffects of SBNLs. Moreover, the Commission undervalued societal costs and adverseeffects.Inmy view, in the current situation, a reasonable expectation of effectiveness is notdemonstratedsufficiently.Inthetheoreticallydesiredsituation,thegoalsareclearandmeasurable. The law is effective because the measurable aims are achieved by themeasure.But,still,effectivenessisnotsimplyattainingaims.Evenifthecausalrelationbetween the measure and its aims can be proved in a narrow sense, the questionremainswhethertheachievementoftheseaimsiseffective.Fromasecurityeconomicsperspective, itcanbearguedthatthe lawiseffective if therevenuesofpositiveeffectsarehigherthanthesocietalcostsofnegativeeffects.14Thisrequiresanaccurateempiricalmeasurementof theseeffects, initiated inpartβ,andaquantificationoftheseeffects.Unfortunately,thisapproachtowardseffectivenessdoesnot cover non‐economic, non‐measurable aims such as the protection of fundamentalrights.Theprotectionof fundamental rights is not always ‘efficient’ and can certainlynotalwaysbequantified,butEuropeanlegislationmustremainwithintheboundariesoffundamentalrights.15Moreover,thecomplexityofthelegalinterferencesinthefieldofcybersecurity makes it impossible to provide an exhaustive balance sheet of all(expected)effects.Asecurityeconomicsperspectivewouldnotbetheperfectmeanstodefine effectiveness, because some aims are notmeasurable and expected effects arecomplex.Both a legal and an economic approach do not provide an optimal outcome for thedefinitionof‘effectiveness’.Thereisnouniformityofwhatmakesalaweffective.Thus,still theeffectivenessquestionremains.What isneededtodeterminetheeffectivenessof SBNLs? Who may decide when a law is effective? In a democracy, we all shoulddecide.Moreconcrete:theEuropeanCommission,ParliamentandCouncilstateexante

13Theseverityofthisunnecessaryburdendependsontheextenttowhichthetwoadministrativesystemsthatprocessbreachnotificationscooperate.14Seetable1,effectsofSBNLs.Onecouldalsoarguethatonlyaparetoimprovementofapositiveeffectwouldbepreferable.15IncountriessuchasChina,wherethereismorelimitedattentionforfundamentalrights,governmentalpolicies,forinstancetheconstructionofahighway,canbeexecutedfarmoreefficientlythanintheEuropeanUnion.

xi

intheordinarylegislativeproceduretheaimsofthelaw.TheEuropeanCourtofJusticedecidesexpostwhetherthelawiseffective.Thus,effectivenessinredefined,aslegalandeconomic approaches towards effectiveness are troublesome. This definitionmust beregardedasastartingpointforfurtherresearchoninterpretingeffectivenessofthelaw.

Hence, taking this definition into account, improving information about potentialpositive and negative effects is the key tool to enhance effectiveness of the law andcorrectlyassessitsnecessity.Theexecutedempiricalanalysisinthisthesishasprovidedknowledgeabout theeffectsofSBNLs that canbeusedby theCommission. Increasedavailability of information about societal impact (expectations) enhances decisionmakingofthelegislatureexanteandthescrutinyoftheCourtexpostthatdeterminetheproportionality of cybersecurity laws. The Commission, which has the power ofinitiative,shouldinvesttoprovidethisinformation.Toconclude,additionalinformationabouteffectsoflegislationonsocietywillimprovethe quality of draft legislation and the judicial decision about proportionality. Forexample, information about the adverse reputation damage on companies,demonstratedinthisthesis,willplayavitalrolewhenjudgingaboutthe infringementon the freedom to conduct business. Additional information about effectswill not bedecisiveinajudicialdecision,sincealsononmeasurableeffectsneedtobebalancedand(expected)effectshaveacertainmarginoferror.Theproportionalitytestassuchmustbeseeninrelationtotheseinherentflawswithinmeasuringeffectivenessofthelawonsociety.Often,causalitybetweenthemeasureandtheaimcanandwillnotbe‘proven’scientificallybythelegislatureandtheCourt.Nevertheless,theproportionalityprinciplehasbeenacornerstoneofEuropeanLawtoanalyzetheeffectivenessandnecessityoflegislation. Further enhancement of the execution of this principle by improvinginformation about societal effects increases the democratic legitimacy of EuropeanUnionlaw.Therefore, this thesis recommends the EuropeanCommission to enhance informationabout effects. This can be done to improve themeasurement of (the expectation of)effectsbeforeandaftertheadoptionofthelaw.TheserecommendationscanbeusedforimprovingEuropeanlawsingeneralandthePDPRandPCDinparticular.Before the adoption of the law, a reasonable expectation of effectiveness should beprovidedbytheCommission.Thisentailstheoperationalizationofmeasurableaims,theseparation of non‐measurable aims and a substantiated expectation of causalitybetweenthelawandtheaims.16

16Operationalizationistheprocessofredefininganambiguousconcepttomakeitmeasurableinordertoperformempiricalobservations.

Effectiveness is the causality between a legislation and its aims defined by ademocratic decisionmaking processwhere asmuch information as possible about(potential)positiveandnegativeeffectsisprovided.

xii

This thesis recommends to operationalize aims that are in essence measurable. Forinstance,theperceptionofpersonaldatacontrolbyEuropeancitizenscanbemeasured.Anotheroptionistouseaproxy.17Theamountofpersonaldatasecuritybreachesservesasaproxyfortheaimofpersonaldatacontrol.Fundamentalrightsthatareassociatedwith the aims of the legislation, such as the freedom of speech and the freedom ofexpression,havean intrinsicvalue,whichcannotbeoperationalized.These importantnon measurable aims should be included separately as informative input for ademocratic legislative decision making process. An effective consideration of thedemocratic decision making process necessitates an extensive overview of potentialnegativeeffectsaswell.Toprovideareasonableexpectationofeffectiveness,anextensivestudyoftheexpectedeffects is recommended by means of academic literature, secondary availablecomparative (quantitative) analysis and expert interviews.18This threefold approach,adheredinthisthesis,hasenhancedtheknowledgeaboutexpectedeffectsandrequiresfurther development and a wider application.19As a result, a conceptual frameworkclarifiestheeffectstoenhancethedecisionmaker’sinformation.20Before the introductionof the law, the increased information about expectedpositiveandnegativeeffectsandnon‐measurableaimsallows foramoreenhanceddiscussionaboutthedesirabilityof the legislation. Ideally, theexpectedeffectsof themeasurablepartofthelegislationwillbequantifiedinordertoclarifyandstructurethediscussionabout the desirability of the law. Consequently, the discussion solely concernsnormativechoicesaboutthebalancebetweennonquantifiableeffectswiththesumofthemeasurablepositiveeffectsandnegativeeffects.After the introductionof the law,the central registration of breach notifications, surveys about the perception of theeffectiveness of the law and the registration of relevant proxies are key tools toempiricallymeasureeffectiveness.

17Aproxyisameasurableunitthatcanbeusedtorepresentanon‐measurableunit,toapproximateorsubstitutethecurrentaims.18Suchasperformedinthisthesisinpartß.19Currently,thefuzzinessoftheaimsandthecomplexityofmeasuringeffectshamperthedeterminationofareasonableexpectationofcausalitybetweenthemeasureandtheaimspursued.20Seesection8.1.2ofthisresearchforaconceptualdiagramofthefirstordereffectofSBNLs.

xiii

TableofContents

Executivesummary............................................................................................................v 

TableofContents............................................................................................................xiii 

Acknowledgements.......................................................................................................xvii 

Listoftables....................................................................................................................xviii 

Listoffigures....................................................................................................................xix 

Listofacronymsandabbreviations...........................................................................xx 

Preface:lawanditsimpactonsociety....................................................................xxi 

1  Introduction.................................................................................................................1 1.1  Internetandsecurity.....................................................................................................3 1.1.1  TheInternet:animpetusforeconomicgrowth&non‐economicvalues.....3 1.1.2  Securitybreaches:apersonaldatabreachandlossofintegrity......................5 1.1.3  Anincreaseofsecuritybreachesandsocialcosts..................................................6 1.1.4  Theproblemofcybersecurityeconomics.................................................................7 1.1.5  Governmentstriggeredtoadoptsecuritybreachnotificationlaws...............8 

1.2  Researchobjectives.......................................................................................................9 1.3  Researchquestions......................................................................................................11 1.4  Researchmethods........................................................................................................12 1.4.1  Literatureresearch..........................................................................................................12 1.4.2  Quantitativeanalysis.......................................................................................................13 1.4.3  Qualitativeanalysis..........................................................................................................15 

1.5  Theapproach..................................................................................................................16 

Partα:aEuropeanlawperspectiveoncybersecurityandsecuritybreachnotificationlaws...............................................................................................................18 

2  TheEuropeanCybersecurityFramework.......................................................19 2.1  Europeanpolicyframework.....................................................................................19 2.1.1  Cybercrimeversuscybersecurity..............................................................................19 2.1.2  Europeanpolicyobjectives...........................................................................................20 

2.2  TheEuropeanlegalframework:theTreatiesandtheCharter....................22 2.2.1  TheEuropeanSingleMarket........................................................................................23 2.2.2  TheAreaofFreedom,SecurityandJustice............................................................25 2.2.3  TheCharterofFundamentalRights..........................................................................26 

2.3  Proposalsforcybercrimeandcybersecuritylegislation................................28 2.3.1  ThePDISandtheFDIS....................................................................................................29 2.3.2  ThePDPRandthePCD...................................................................................................30 

2.4  Conclusions–aEuropeancybersecurityapproach?........................................31 

3  Securitybreachnotificationlaws......................................................................33 3.1  Origins...............................................................................................................................33 3.1.1  IntheUnitedStates..........................................................................................................33 3.1.2  EU:Article31PDPR.........................................................................................................34 

xiv

3.1.3  EU:Article14PCD............................................................................................................36 3.1.4  Summary..............................................................................................................................38 3.1.5  Subsidiarity–Article31PDPR&Article14PCD................................................38 

3.2  Proportionality–Article31PDPR&Article14PCD........................................38 3.2.1  VolkerSchecke:limitationsondataprotection...................................................39 3.2.2  ScarletExtended:limitationsonthefreedomtoconductbusiness.............41 3.2.3  Proportionality–Effectiveness...................................................................................43 3.2.4  Proportionality–Necessity..........................................................................................44 

3.3  Maindesignparameters.............................................................................................44 3.3.1  Addressees..........................................................................................................................45 3.3.2  Sanctioning&enforcement..........................................................................................45 3.3.3  Scope......................................................................................................................................45 3.3.4  Notificationauthorityandtreatment.......................................................................46 

3.4  Conclusions.....................................................................................................................46 

Partβ:effectsofsecuritybreachnotificationlaws.............................................48 

4  Literaturereviewoneffects.................................................................................49 4.1  Firstordereffect...........................................................................................................50 4.1.1  Theregulatorycompliancetheory............................................................................50 4.1.2  Incentivesforcompliance.............................................................................................50 4.1.3  Intermezzo:roughanalysisofthecostofcompliance......................................51 

4.2  Secondordereffect.......................................................................................................52 4.3  Conclusions.....................................................................................................................55 

5  Thedataset.................................................................................................................56 5.1  Thedependentvariable:securitybreachesperfirmperstate....................56 5.1.1  Descriptionofthesecuritybreachesinthedatabase........................................57 5.1.2  Sourcesofthedatabase..................................................................................................59 5.1.3  Restructureddata:breachesperyearandperstate..........................................61 5.1.4  Variationsbetweenstates:amountoffirms..........................................................64 5.1.5  Variationsovertime:Internetsecurity...................................................................65 

5.2  Independentvariables:classificationsofAmericanSBNLs...........................66 5.2.1  Introductiondate..............................................................................................................67 5.2.2  Sanctioninglaiddowninthelawhigherthan50000dollar...........................67 5.2.3  StrictnessdefinedbyRomanosky..............................................................................68 5.2.4  Individualshaveaprivaterightofaction...............................................................68 5.2.5  Scopeofpersonalinformationisbroaderthangeneraldefinition..............68 5.2.6  ObligationtonotifytheAttorneyGeneral..............................................................68 5.2.7  Obligationtonotifythecustomercreditreportingagency.............................69 5.2.8  Summary..............................................................................................................................69 

5.3  Hypotheses......................................................................................................................70 5.3.1  Hypothesis1:sanctioning.............................................................................................70 5.3.2  Hypothesis2:scope.........................................................................................................70 5.3.3  Hypothesis3:notificationauthority.........................................................................71 

6  Quantitativeanalysis..............................................................................................72 6.1  Comparisonsofmeansandmedians.....................................................................72 6.1.1  Effectofthelaw.................................................................................................................73 

xv

6.1.2  Testinghypothesis1.......................................................................................................73 6.1.3  Testinghypothesis2.......................................................................................................75 6.1.4  Testinghypothesis3.......................................................................................................75 

6.2  Fixedeffectsregression..............................................................................................76 6.2.1  Themodel............................................................................................................................77 6.2.2  Robustnesscheck.............................................................................................................79 

6.3  Verification&validationofthequantitativeanalysis.....................................79 6.3.1  Verification..........................................................................................................................79 6.3.2  Validation.............................................................................................................................80 

6.4  Conclusions.....................................................................................................................80 

7  Qualitativeanalysis.................................................................................................82 7.1  Expertsinterviewed.....................................................................................................82 7.2  Results...............................................................................................................................83 7.2.1  Firstordereffect...............................................................................................................83 7.2.2  Reflectiononquantitativeanalysisandthedataset...........................................83 7.2.3  Secondordereffect..........................................................................................................84 7.2.4  ReviewoftheDutchinitiative,thePDPRandthePCD......................................85 

7.3  Conclusions.....................................................................................................................86 

Partγ:synthesisandconclusions..............................................................................87 

8  Synthesisofliteraturereview,quantitative&qualitativeanalysis&theaimsoflegislation............................................................................................................88 8.1  Firstordereffect...........................................................................................................88 8.1.1  Synthesis..............................................................................................................................89 8.1.2  Theconceptualframeworkofthefirstordereffect...........................................90 

8.2  Secondordereffect.......................................................................................................92 8.3  EffectsversusaimsoftheEuropeanSBNLs.........................................................92 

9  Conclusions&recommendations......................................................................94 9.1  ConclusionsonEUSBNLs...........................................................................................94 9.1.1  Subsidiarity–NecessityofaEuropeanUnionapproach.................................94 9.1.2  Proportionality(1)–Firstordereffect....................................................................95 9.1.3  Proportionality(1)–Secondordereffect..............................................................95 9.1.4  Proportionality(2)–Necessityofcoexistence.....................................................95 9.1.5  Limitationsonmeasuringeffectiveness.................................................................96 9.1.6  Complexityofmeasuringeffects................................................................................98 

9.2  Recommendations........................................................................................................98 9.2.1  Regardingtheenhancementofthelegislativeinitiatives................................99 9.2.2  Areasonableexpectationofeffectivenessbeforetheadoptionofthelaw99 9.2.3  Toolstomeasureeffectivenessaftertheadoptionofthelaw.....................101 

9.3  Directionsforfurtherresearch............................................................................102 

Bibliography....................................................................................................................104 Generalbibliography.............................................................................................................104 Literature...............................................................................................................................................104 JournalArticles...................................................................................................................................105 Onlinearticlesandpapers..............................................................................................................107 

xvi

EuropeanUnionpolicydocuments............................................................................................108 Dutchpolicydocuments..................................................................................................................109 Documentsfromwebsites..............................................................................................................109 

Treaties,Case‐lawandLegislation...................................................................................111 Treatiesandprotocols.....................................................................................................................111 Case‐law.................................................................................................................................................111 EuropeanUnion(proposed)legislation...................................................................................112 Dutchlegislation.................................................................................................................................113 

Expertsconsulted...................................................................................................................113 Officialinterviews:.............................................................................................................................113 Exploratoryinterviews:...................................................................................................................114 

AppendixA–Interviewtemplate............................................................................115 

AppendixB–ClassificationsoftheAmericanSBNLs........................................118 

AppendixC–Casesummaries...................................................................................120 

AppendixD–Costofcomplianceandnon‐compliance....................................124 

xvii

Acknowledgements

This thesis has been conducted simultaneously for the master European Law at theUniversity of Utrecht and the master Systems Engineering, Policy Analysis andManagement at the TechnicalUniversity of Delft. I have been studying for almost sixyears at these universities. Hence, the challenge to write a thesis on the interface ofthese twoscientificdomainsemerged.Although I amused to simultaneously study inUtrechtandDelft,theaimtointegratethesedisciplinesinonesinglethesishasresultedinanadventurousmultidisciplinaryproject.Many people assisted me in writing this thesis by their inspiration, support andconfidence.Unfortunately, it is impossible toacknowledge themall,butnevertheless Iwouldliketomentionthefollowingpersons.First and foremost, I sincerely appreciate the ongoing support for this uncommonprojectofmysupervisors,SybedeVries,BaukeSteenhuisen,Prof.MichelvanEetenandJanvandenBerg.Furthermore,advicegivenbystatisticalexpertsintheempiricalpartβhashelpedmetremendously.ShirinTabatabaieandHadiAsghari,bothPhDcandidatesat the TU‐Delft, introducedme in the ‘POLG approach’ ofmethods and techniques tostatisticallyanalyzetheregulationofcybersecurity.Also,IwouldliketooffermyspecialthankstoFabioBisogni,alsoaTU‐DelftPhDcandidate.Heofferedmevitalassistanceinconstructing the independent variables and rethinking the quantitative analysis. AninterviewwithThijsUrlings, Assistant Professor at theTU‐Delft and discussionswithCatherineEndtz, graduate studentEconomics, andBramEidhof, PhD candidate at theUniversity of Amsterdam, provided essential additional knowledge about the fixedeffectsregressionmethod.Apartfromthis,Iwanttothankalltheexpertsinterviewedinthe context of this thesis for their valuable input (listed in the bibliography).Furthermore,IwishtoacknowledgethehelpprovidedbyChristofAbspoel,KeesCath,RobertvanMastrigt,FrankNieuwesteegandTimoVosse,fortheirassistanceindottingthe i’s and crossing the t’s. Finally I would like to thank friends and family for theirenduringsupport.BernoldNieuwesteegAugust2013

xviii

Listoftables

Table1:effectsofSBNLs(V=provedormentioned;X=disproved;“‐“=notresearched).ix Table2:visualizationofrestructureddata:Breachesperstateperyear(allsources)...62 Table3:Correlationanalysis....................................................................................................................64 Table4:positiveeffectsofnotifications...............................................................................................66 Table5:numberofSBNLsperyear(outof50U.S.States)..........................................................67 Table6:summaryoftheindependentvariables..............................................................................69 Table7:descriptivestatisticsofHas_law(highestmarkedgreen)..........................................73 Table8:comparisonofmeansandmediansoftheHas_lawclassification...........................73 Table9:descriptivestatisticsofsanctioningrelatedclassifications(highestmarkedgreen).................................................................................................................................................................73 Table10:comparisonofmeansandmediansofsanctioningrelatedclassifications(significantresultsmarkedgreen).........................................................................................................74 Table11:descriptivestatisticsofscoperelatedclassifications(highestmarkedgreen)75 Table12:comparisonofmeansandmediansofscoperelatedclassifications(significantresultsmarkedgreen).................................................................................................................................75 Table13:descriptivestatisticsofnotificationauthorityrelatedclassifications(highestmarkedgreen)................................................................................................................................................76 Table14:comparisonofmeansandmediansofnotificationauthorityrelatedclassifications(significantresultsmarkedgreen)...........................................................................76 Table15:resultsofthefixedeffectsregressionmodel.................................................................78 Table16:robustnesscheckfixedeffectsregression.......................................................................79 Table17:listofrespondents....................................................................................................................82 Table18:effectsofSBNLs(V=provedormentioned;X=disproved;“‐“=notresearched)...............................................................................................................................................................................93 

xix

Listoffigures

Figure1:thedemarcationoftheresearchinpartβ...........................................................................3 Figure2:theapproachofthisthesis.....................................................................................................17 Figure3:theEuropeanPolicyFramework.........................................................................................22 Figure4:EuropeanandDutchSBNLs...................................................................................................38 Figure5:firstandsecondordereffectsofSBNLs............................................................................49 Figure6:totalrecordsin2012(left)and2005‐2012(right)(1=0‐1000;2=1001‐10000;3=10001+;4=unknown).............................................................................................................................58 Figure7:differentsourcesindatasetfrom2005until2012andsectors..............................59 Figure8:representativenessissues:breachesperstatefromthesource‘CaliforniaAttorneyGeneral’andsectorofbreachesofPHIprivacy(medicalisred).............................60 Figure9:distributionofsectorsofselectedsources......................................................................60 Figure10:breachespersource(0=selectedsources;1=allsources)......................................61 Figure11:breachesperyearpersource.............................................................................................62 Figure12:breaches(circleisamountofbreachesperyearperstate;allsourcesand50statesincluded)..............................................................................................................................................63 Figure13:scatterplotoflog_breachesandlog_firms(Selectedsourcesright)...................64 Figure14:breachesperfirmperstate(allsourcesand50statesincluded).......................65 Figure15:conceptualframeworkofthefirstordereffect...........................................................91 

xx

Listofacronymsandabbreviations

ECHR EuropeanConventiononHumanRightsAFSJ AreaofFreedom,SecurityandJusticeCAS ComplexAdaptiveSystemCERT ComputerEmergenceResponseTeamCharter CharterofFundamentalRightsoftheEuropeanUnionCII CriticalInformationInfrastructureCIIP CriticalInformationInfrastructureProtectionCWII CyberwarfareinfrastructureCWP CommissionWorkProgramECHR EuropeanConventiononHumanRightsECP EuropeanCybercrimePolicyEFMS EuropeanFormforMemberStatesENISA EuropeanNetworkandInformationSecurityAgencyEP3 EuropeanPublic‐PrivatePartnershipforResilienceFDIS FrameworkDecisiononattacksagainstinformationsystemsNCSC NationalCyberSecurityCentreNIS NetworkandInformationSecurityPCD ProposedCybersecurityDirectivePDIS ProposedDirectiveonattacksagainstinformationsystemsPDPR ProposedDataProtectionRegulationPJCC PoliceandJudicialCo‐operationinCriminalMattersSBNL SecuritybreachnotificationlawTEU TreatyonEuropeanUnionTFEU TreatyontheFunctioningoftheEuropeanUnion

xxi

Preface:lawanditsimpactonsociety

Legal research often describes and prescribes the closed system of laws and itsunderlying legal values. For example, whether these legal values are guaranteed orwhethernormativegoalsareproperlybalanced.Typical legalresearchquestionssuchas‘towhatextentdofundamentalfreedomlawsconflictwithfundamentalrights?’,‘howmay competition law differ among several justice systems?’ or ‘in what line did theconcept of mutual recognition develop and how should develop further?’ reflect thisapproach.Thesequestionspreeminentlyreviewthelawfromwithintheclosedsystemoflaws.Thoughthequestionsabovedoimplysocietalrelevance, theyhardly inspireempiricalstudiesofthelawanditsimpactonsociety.Impactonsocietysuchastheenhancementof cybersecurity bymeans of security breach notification laws can be regarded as anexternalquestion.Thisconcernsanassessmentwhetheraruleattainsthegoalsitaimsto attain. I regard this as the oppositeof internal questions that assess the law itself,mentionedabove.Legalresearchdoestendtoaskquestionsaboutimpactbutoftenmeasures impactonlaw insteadof impactonsociety. Impacton lawfor instanceconcerns thecorrectandtimelytranspositionofDirectives.21Thisisaninternalquestion.AEuropeanDirectiveisconsideredtohavealarge(legal)impactifitistransposedcorrectlyintonationallaw.22Impactonsocietyishardertomeasurethantheimpactonlaw.Whereasimpactonlawmay, for instance, be measured by the number of correct and timely transposedDirectives, measuring impact on society requires extra efforts and can vary incomplexity.Impactonsocietyisfairlyattainableifthelawprescribesacertainlevelofprotection.TheenvironmentalimpactassessmentofthemaximumNOxemissionlevelsofcarsthatareprescribedbyEuropeanlawforinstanceisattainablebecauseNOxvaluesareclearlymeasurableandthereisaclearrelationbetweenNOxvaluesandthehealthofcitizens.23Complexity increases if a law aims to interfere in the complex world ofcybersecurity.Securitybreachnotificationlawsaresuchlaws.

21Forexample,see:BernardSteunenbergandWimVoermans,‘ThetranspositionofECDirectives:Acomparativestudyofinstruments,techniquesandprocessesinsixMemberStates’(WODC,2006)<https://openaccess.leidenuniv.nl/bitstream/handle/1887/4933/5_360_361.pdf?sequence=1>accessed11June2013&DionyssisG.Dimitrakopoulos,‘ThetranspositionofEUlaw:Post‐decisionalpoliticsandinstitutionalautonomy’(2001)7(4)EuropeanLawJournal442‐458.22Thisiscalledanimpactassessmentexpost,becausetheeffectofalawismeasuredafteritsintroduction.23Forexample:CouncilDirective(EC)96/96ontheapproximationofthelawsoftheMemberStatesrelatingtoroadworthinesstestsformotorvehiclesandtheirtrailers[1996]OJL49.

xxii

Thus, legal research often internally describes and prescribes the system.What legalresearcherscallempirical impactassessmentsoftenmeasure impactonlawinsteadofimpactonsociety.Ifimpactonsocietyisassessed,itisoftenperformedtodemonstratefairly simple causal relationship. Assessing impact on society of laws can be morecomplex. To understandmore about this complexity, legal impact assessments couldbenefit from a multidisciplinary perspective as demonstrated in this thesis. Amultidisciplinaryperspectivecantakedifferentrelationships intoaccountthatarethebuildingblockforamorecomplexeffectofthelaw.Impact assessments on society could potentially greatly enhance the effectiveness oflaws.Ingeneral,thereisasubstantialdegreeofconsensusamongpolicyanalystsaboutthe importanceof impactassessmentasakey tool toensure theviabilityofproposedpieces of legislation.24Studies stress the need for the availability of data that helpperformtheseanalyses.25ThethemeofthisthesisiscybersecurityfromaEuropeanlawandsecurityeconomicsperspective.Thesecuritybreachnotificationlawishighlighted.NewInternetlaws,suchas security breach notification laws, in particular require state‐of‐the‐art insights insocietal impact.The Internet ischangingrapidly, there isuncertaintyon theeffectsoflaws and there are many new simultaneous legislative initiatives. Therefore thiscontributesanempiricalperspectiveonthelegaleffectsofsecuritybreachnotificationlaws.Giventheaforementioned, thethesishastwonormativestartingpointsrelatingtotheimpact of law on society. The first normative starting point is that legislation can bevaluedbyempiricalmeasurement,andthatmeasuringimpactonsocietyisrelevantforthequalityofthelegalsystem.Asthenexusbetweenthelawandthequestionrelatingtoeffectivenessbecomesstronger,thelawislesssymbolicandmoreinstrumental.Thesecondnormativestartingpointisthatlegislationcanbenecessarytomitigatesocietalproblemsifthetotalsumofbenefitsishigherthanthetotalcostsonsociety.26Internetinsecurityistoagreatextendaproblemofcybersecurityeconomicsandsecuritybreachnotification lawsareproposedbytheEuropeanlegislatureto interfere inthisdomain.Thisthesisanalysesthelegalpositionandsocietaleffectsofsecuritybreachnotificationlaws.

24AndreaRenda,ImpactAssessmentintheEU,TheStateoftheArtandtheArtoftheState(CEPSPaperbacks2006)133.25Forinstance,seetherecommendationsin:RossAnderson,RainerBöhme,RichardClayton&TylerMoore,‘SecurityEconomicsandtheInternalMarket’(ENISA,31January2008)<http://www.enisa.europa.eu/publications/archive/economics‐sec>,Accessed10December2012.26However,somesocietalcosts,suchasinsufficientfundamentalrightsprotection,arehardtoquantifyandrequireaminimumlevelofprotection.

1

1 Introduction

This thesis scrutinizes the proportionality anddescribes the subsidiarity of proposalsforsecuritybreachnotificationlaws(hereafter:SBNLs)intheEuropeanUnion.

A law is proportional if the requirements of effectiveness and necessity are met.27Effectivenessmeansthatthereisacausalrelationshipbetweenthemeasureandtheaimpursued. Necessity means that no less restrictive policy options are available thatachievethesameaims.28ThecloselylinkedsubsidiaritytestassessesthenecessityoftheEuropeanUnionapproach:thequestionwhethertheaimsoftheSBNLandcybersecuritycannot be achieved sufficiently by the Member States individually.29Subsidiarity isdescribedmorelimitedbecausethisistoagreatextentapoliticalquestion.Why these tests?Subsidiarity, laiddown inArticle5(3)TEU,andproportionality, laiddown in Article 5(4) TEU, are fundamental principles of EU law. They demand theEuropeanlegislaturetonotgobeyondwhatisnecessarytoattaintheobjectivesintheTreatiesandtoonlyadoptmeasuresifaEuropeanUnionapproachhasaddedvalue.The laws that have been tested are Article 31 of the proposed Data ProtectionRegulation (Hereafter: PDPR) and Article 14 of the proposed Cybersecurity Directive(Hereafter: PCD). Article 31 PDPR concerns a single uniform personal data breachnotification.Article14PCDconcernstheharmonizationofnational(significant) lossofintegritybreachnotificationobligations.TheNetherlandsrecentlyinitiatedalegislative

27VolkerSchecke(n1).28Chalmers(n2)362.Thereisalsoathirdcriterion,proportionalitystrictusensu,whichissometimesmentionedseparately,seesection3.2.1ofthisresearch.29SeealsoProtocol(No2)ontheApplicationofthePrinciplesofSubsidiarityandProportionality[2007]OJC‐310/207;GraiganddeBúrca(n3)95.

Asecuritybreachnotificationlawisanobligationforgovernmentsandcompaniestonotifysecuritybreachestothepersonwhosedataisbreachedand/orasupervisoryauthority.Asecuritybreach isdefinedbyalossofdataand/ora(significant)lossofintegrityofcomputersystems.Ifacompanydoesnotcomplywiththelaw,apenaltycanbeimposed.

Apersonaldatabreachentailstheunauthorizedaccesstoand/ortheftofpersonaldata.

Alossofintegrityentailsthelossofcontrolovercomputersystems,i.e.thelossofconfidentiality,integrityoravailabilityofthecomputersystem.

Apersonaldatabreachalwaysentailsalossofintegrity,butalossofintegritycanalsooccurwithoutthelossofpersonaldata.

2

process for such a loss of integrity breach SBNL. This initiative is an example of anationalSBNL,whichArticle14PCDaimstoharmonize.TheaimoftheproposedSBNLsisacentralelementofthisthesis,becausethesuitabilityof the legislation toachieve thisaim ispartof theproportionality test.Theaimof thePDPR is “toensure that individualsare in controlof theirpersonaldataand trust thedigitalenvironment”30inorder“toincreasetheeffectivenessofthefundamentalrighttodata protection”.31The aim of the SBNL in the PCD is: “to create a culture of riskmanagement and improve the sharing of information between the private and publicsectors.”32Thethesisconsistsofthreeparts.Partαisatheoreticalstudyfromalegalperspective.Partβisanempiricalstudyfromasecurityeconomicsperspective.Hence,thisthesisismultidisciplinary. Part γ contains the synthesis and conclusions of part α and part β.This has the implications that some concepts are explained a bitmore in depth thanusual tomake the entire thesis to a great extent understandable for scholars of bothdisciplines.Inpartα,first,theEuropeancybersecuritylegalandpolicyframeworkishighlighted.Itisanalyzed towhatextendcybersecurity isanchored in theTreaties,Charterandsoftlaw, in order to answer the question whether the European approach regardingcybersecurityisnecessary.Second,theEuropeanproposalsareintroducedinrelationtoAmericanlaws.Third,theprinciplesofsubsidiarityandproportionalityareassessedinthelightofSBNLs.Part β builds on insights about the structure of the SBNLs in part α by empiricallyanalyzing the (complexity of) effects of SBNLs on society. This is indispensable tosubstantiatethefirstelementofthelegalproportionalitytest.Tostructuretheempiricalstudy,afirstandsecondordereffectofSBNLsisdistinguished.Thefirstordereffectistheeffectof(characteristicsof)SBNLsontheamountofbreachnotifications.Generatingnotifications isnotoneoftheaimsoftheproposedlegislation,butameanstoachievethe second order effect. The second order effect is the effect of the law on society. Aliterature review is conducted to provide an overview of what is already knownconcerningthosetwoeffects.Thequantitativeanalysissystematicallyassessesthefirstorder effect of American SBNLs by a longitudinal dataset containing security breachnotifications.Thequalitativeanalysisreviewstheperceptionof firstandsecondordereffectsofbymeansofDutchexpertinterviews.Itisalsousedasareviewforthequalityof thequantitative analysis.Thedemarcationof the research inpartβ isdisplayed infigure1.

30ImpactassessmentPDPR(n6),section5.3.1.31Ibid.32ImpactassessmentPCD(n8),section6.1.

3

Figure1:thedemarcationoftheresearchinpartβ

Hence, the question whether European legislation on SBNLs is necessary andproportional is answered in part γ by substantiating the legal subsidiarity andproportionalitytestofpartαwiththeempiricalanalysisofeffectsinpartβ.Thisintroductionsketchesthecontextoftheresearchsubject,namelytheInternet,withspecificattentionforInternetsecurity.WithinthesubjectofInternetsecurity,Internetinsecurityproblemsareanalyzedfromasecurityeconomicsperspective.Hereafter,theSBNL and the concepts of subsidiarity and proportionality are introduced. After this,research objectives and questions are presented. Finally, the thesis’ approach isoutlined.

1.1 Internetandsecurity

TheInternetisimportantandspecial.TheWorldWideWebisanimpetusforeconomicgrowthandnon‐economicvaluessuchasthefreedomofspeech.Internetinsecurityisathreat for the development of and activities on the Internet. The problem ofcybersecurity economics precludes an easy solution to mitigate Internet insecurity.IncreasedInternetinsecurityhastriggeredgovernmentstoadoptSBNLs.

1.1.1 TheInternet:animpetusforeconomicgrowth&non‐economicvalues

TheInternetrapidlyemergedfromauniversitynetworktooneof themost importantinfrastructures for theworld economy.While at the end of 2000,merely 360millionpeopleusedtheInternet,approximately2.4billionpeopleusedtheInternetonaregularbasisbymid‐2012.33AMcKinsey reportestimated that the Internetaccounts for21%GDP growth in developed economies between 2006 and 2011.34The Internet is acatalyst formatureeconomies tomaintain theirwelfare levelwhencopingwithagingpopulationsandslowedproductivitygrowth.Hence,therearesignificantconsequences33‘Internetstatistics’.<www.Internetworldstats.com>accessed14April2013.34MatthieuPélissiéduRausasetal,‘InternetMatters:TheNet’ssweepingimpactongrowth,jobsandprosperity’.(McKinseyGlobalInstitute,May2011),2<http://www.mckinsey.com/insights/high_tech_telecoms_Internet/Internet_matters>accessed27December2012.

4

iftheInternetasaninfrastructurehampers,whichisthecaseifpersonaldataislostorstolenorif(publicservices)suchasInternetbankingareunavailable.Thiscouldresultinalossofeconomicactivityandalossoftrustintheeconomy.Inaddition,theInternetisaspecialinfrastructureandisaconductorfornon‐economicpublic values. Already in 1996, at the dawnof a global Internet economy, JohnPerryBarlowdeclared ‘theglobal socialspacewearebuilding tobenaturally independent’,already hinting on these special characteristics.35Internet is indeed characterized byopenness and transborderness.36The Internet cannot be controlled by one singlestakeholderandthere isnocentralgovernancestructure,althoughsomestakeholdersgovern parts of the network and thus have stronger influence than others.37TheInternet and its equal information exchange are accessible for many. The Internettherefore is a unique platform for conducting non‐economic values such as publicspeechandthefreedomofexpression.However,InternetinsecuritymayalsoemergeiftheinformationexchangeovertheInternetincreases.ThesecurityofinformationontheInternet,called‘cybersecurity’inthisthesis,isusuallydefinedas:

“the protection of information and information systems againstunauthorized access or modification of information, whether instorage, processing, or transit, and against denial of service toauthorized users. Information security includes those measuresnecessarytodetect,documentandcountersuchtreats”38

Cybersecuritythusconcernstheconfidentiality, integrityandavailabilityof(personal)information.39Concluding, the Internet is an important and special infrastructure for stimulating theeconomyaswellasaplatformforexpressingnon‐economicvalues.InternetsecurityisimportantforthedevelopmentoftheInternet.

35JohnPerryBarlow,‘DeclarationofInternetindependence’(eff.org,9Februari1996)<http://w2.eff.org/Censorship/Internet_censorship_bills/barlow_0296.declaration.>accessed9January2013.36AtthesametimethenatureoftheInternetischanging,fromanopeninteroperableandunifiedsystem,towardsaclosedsystemwithfewerstakeholders,see:JonahForceHill‘InternetFragmentation:HighlightingtheMajorTechnical,GovernanceandDiplomaticChallengesforU.S.PolicyMakers’(Paper,HarvardKennedySchool2012).37ForexampletheInternetCorporationforAssignedNamesandNumbers(ICANN)performsanumberofimportantInternetrelatedtaskssuchasthedistributionoftopleveldomainnames(TLDs).<www.icann.org>accessed11June2013.38KarldeLeeuw‘Introduction’,inKarldeLeeuw&JanBergstra(eds.),TheHistoryofInformationSecurity:AComprehensiveHandbook(Elsevier,2007)2‐3.39AxelArnbakandNicovanEijk‘CertificateAuthorityCollapse,RegulatingSystemicVulnerabilitiesintheHTTPSValueChain’(2012)TRPC,20.<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2031409>accessed8January2012.

5

1.1.2 Securitybreaches:apersonaldatabreachandlossofintegrity

Internetinsecuritycanharmbotheconomicandnon‐economicgoalsoftheInternet.TheInternethasrapidlybecomemoreinsecurethroughincreasedcriminalactivity,causedby the increaseof Internetusersandeconomicactivityon the Internet.Crime followsopportunityasthefundamentalprincipleofcriminologysays.40Thisthesisdistinguishesthelossofdataandthelossofintegrityastwoconceptsthatbothcanentailasecuritybreach. A personal data breachmeans that third parties access or use personal dataillegally. A loss of integrity of information systemmeans that a serious attack causesdamagedandbreachedcomputersystems,resultinginunavailableservicesandalossofcontrol.Alossofintegrityhasabroaderscopethanapersonaldatabreach.Apersonaldatabreachalways involves lossof integritybecause ifpersonaldata is lostadefensesystemisbreached,butalossofintegritydoesnotnecessarilyinvolveapersonaldatabreach.Forexample,inMarch2013,aseriesofcyberattacks(DDOS)onDutchbanksdidnot result in a loss of data but in the unavailability ofmobile banking services.Most(banking)computersystemshaveamultiplelayersofdefenseandonlyabreachofthelast defense layer results in actual loss of data.41Another example is the fact thatcriminalspossiblywant controlover certain aspects of computer systems thatdonotstore personal data. For instance, Dutch water utilities have separated computersystemsfortheoperationoftheirwaterprocessesandtheircustomers.42Therearemanytoolsforcriminalstoexecuteasecuritybreach.Afewexamplesoftoolsand actions relevant for organizations are: the disruption of computers bymalicioussoftware (malware), Distributed Denial of Service (DDoS) attacks with botnets(networksofcompromisedcomputers)andidentitytheftbyphishing.Sometools,suchasDDoSattacks,aremoresuitablefordisruptingcomputersystemsandaremorelikelytocausealossofintegritywithoutalossofpersonaldata.Othertools,suchasbankingTrojans(atypeofmalware)focusmoreonpersonaldatatheftforeconomicpurposes,suchasbankingfraud.Thetoolstoperformasecuritybreachwillnotbediscussedindepth.43For thepurposeof this thesis, it is sufficient tomake thedistinctionbetweenlossofintegrityandlossofpersonaldata.

40PaulHunton,‘ThegrowingphenomenonofcrimeandtheInternet:Acybercrimeexecutionandanalysismodel’(2009)25ComputerLaw&SecurityReview528,529.41InterviewwithRonaldPrins,Director,FoxIT(Delft,theNetherlands,12April2013).42Forinstance,Dutchwaterutilitieshaveseparatedcomputersystemsfortheoperationoftheirwaterprocessesandtheircustomers.Onlythelattersystemcontainspersonaldata.(InterviewwithRogierRagetlie,SecurityManager,BrabantWater(‘sHertogenbosch,theNetherlands,25April2013).43Forfurtherreading,HadiAsgharihaslistedextensivelistofonlinesecuritythreatsfacedbyendusers,see:HadiAsghari‘BotnetMitigationandtheRoleofISPs’(MasterThesis,Delft,UniversityofTechnology)7‐12;‘CyberSecurityReport2012’(NationalCyberSecurityCentre,19September2012),22‐34<https://www.ncsc.nl/english/current‐topics/news/ncsc‐publishes‐cyber‐security‐report‐2012.html>accessed11June2013.

6

1.1.3 Anincreaseofsecuritybreachesandsocialcosts

Cybercrime isperceivedasa threatand isapartofdaily life.44Most Internetusers inEurope ‘have seen or heard something about cybercrime in the last 12months’.45 A2010U.K.surveyunder964ITandbusinessmanagersfrom15industrysectorsstatedthat88%oftherespondentsexperiencedadatabreachinhisorhercompany.46Thecostsofcybercrimearehardtoestimate,butprobablyhaveincreasedsignificantlyover the last few years. Dutch banking fraud damage indicates this upward trend. In2011,thisdamagewasprojectedat35millioneuro,atriplingwithrespectto2010.47Inthe first half of 2012, the damage of Internet crime was 27.3 million euro, whichconfirmstheupwardtrend.Theestimationofthecostofcybercrimecandependontheinterestofthestakeholder.Internetsecuritycompaniesforinstancecouldhaveaninterestinanexaggerationofthecosts to sell more products.48In the United Kingdom the costs of Internet crime forcompanies are estimated at 5.9million dollar per year and average annual costs percapita inareestimated98dollaraccording to Internet security companies.49The totalannualworldwideInternetcrimecostsareestimatedtoexceed100billiondollar.50Thecostofcybercrimecanbedividedinthedirectcostsandindirectcosts.Accordingtoa recent scientific study, the direct annual costs of cybercrime, the damages of acyberattack,“mightamounttoacoupleofdollarsper[UK]citizenperyear”.51Indirectcostsanddefensecostsareatleasttentimesofthedirectcosts.52Hence,theprotectionofcitizensagainstcybercrimeismorecostlythenthedirectfinancialimpactofthecrimeitself.44Formoreanalysis,seethefollowingfactsheetaboutcybercrime‘Eurobarometer390fortheNetherlands’(EuropeanCommission,2012)<http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_fact_nl_en.pdf>accessed7January2012.45‘Eurobarometer390’(EuropeanCommission,2012),61<http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf>accessed7January2012.46‘2010AnnualStudy:U.S.EnterpriseEncryptionTrends’(PonemonInsitute,November2010),5<http://www.symantec.com/content/en/us/about/media/pdfs/Symc_Ponemon_Encryption_Trends_report_Nov2010.pdf>accessed15July2013.47‘CybersecurityAssessmentNetherlands’.(NationalCyberSecurityCentre,19September2012).<https://www.ncsc.nl/english/current‐topics/news/ncsc‐publishes‐cyber‐security‐report‐2012.html>accessed21April2013;‘FraudereportInternetbankingandskimming’(NederlandseVerenigingvanBanken,2012).<http://www.veiligbankieren.nl/nl/nieuws/fraude‐Internetbankieren‐stijgt‐eerste‐half‐jaar‐met‐14_.html>accessed11June2013.48RossAnderson,ChrisBarton,RainerBohme,RichardClayton,MichelvanEeten,MichaelLevi,TylerMoore,StefanSavage,‘MeasuringtheCostofCybercrime’(2012)WorkshoponEconomicsofInformationSecurity6/2012<http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf>accessed7January2013.49‘2011CostofCyberCrimeStudy’(PonemonInstitute,August2011)<http://www.hpenterprisesecurity.com/collateral/report/2011_Cost_of_Cyber_Crime_Study_August.pdf>accessed30November2012.50‘PressreleaseonSymantecSecurityReport’(Symantec,7September2011)<www.symantec.com/about/news/release/article.jsp?prid=20110907_02>accessed28November2012.51Anderson(n48)25.52Ibid.

7

1.1.4 Theproblemofcybersecurityeconomics

TheInternetisincreasinglyimportantforoureconomicandsocial life.Asaresult,theInternetisbecomingincreasinglyinsecureascrimefollowsopportunity.Inadditiontothat,thereisaproblemofcybersecurityeconomics.Theproblemofcybersecurityeconomicsischaracterizedby:

TheEconomiststatedin2010:

‘Theworldcontainsanunimaginablyvastamountofdigitalinformationwhichisgettingevervasterevermorerapidly’53

Digitalinformationincludespersonaldataofcustomersandconfidentialinformationofcompanies.Hence,itisavulnerableasset.Breachesofdefensesystemsandtheftofthispersonalinformationharmssociety.Ideally,companieswouldtakepropermeasurestopreventdataandsecuritysystemstobebreached.But, ‘bigdata’ofcompanies isverycomplexandextensivewhichmakesitextremelydifficulttooverseeanddefend.Moreover, companies have incentives for suboptimal investment in security. That iscausedbythefactthatcompaniesdonotbearthefullcostsofasecuritybreach.54Forexample:ahackonthecontrolsystemsofanenergyproductioncompanycanresultinapowerfailureofaday.55Suchacompanywouldincurforinstancea1millioncostfromlost income and damage, while the indirect costs of companies that are not able tooperate their businesses are themultiple of that. Of course, companies can claim fordamages.However,suchaclaimwouldprobablyberejectedonthegroundsofaforcemajeure situation, an extraordinary event beyond the control of a company whichpreventsthepartyfromfulfillingitsobligations.56Apart from this, thereare little incentives for companies to invest in securitybecauseconsumersdonotwanttopayforit.Internetsecurityisasocalled‘marketforlemons’.

53‘Data,Dataeverywhere’(TheEconomist,25February2010).<www.economist.com/node/15557443>accessed11June2013.54DeirdreMulligan,‘SecurityBreachNotificationLaws:ViewsfromChiefSecurityOfficers’(UniversityofBerkeleySchoolofLaw,December2007),13<http://www.law.berkeley.edu/files/cso_study.pdf>accessed11June2013.55Forcomparison:‘Waterinstallatiebeschadigdbijcyberaanval’<www.automatiseringgids.nl/nieuws/2011/47/waterinstallatie‐beschadigd‐bij‐cyberaanval>accessed11June2013.56Adefinitionof‘ForceMajeur’canbefoundat<www.trans‐lex.org/944000>accessed21April2013.

Imperfectinformationabouteffectivesecuritymeasuresbecauseofthecomplexityofbigdataanddefensesystems.

Negativeexternalitiesonsocietyconcerningthecostsofsecuritybreaches. Underpoweredincentivestoinvestinsecurity,protectconsumers

informationandshareknowledgewithcompetitors.

8

Themajorityofconsumersarenotabletodistinguishagoodsecuredcompanyfromabadsecuredcompany,becausetheyhavenoinformationtovaluesecuritypractices.57Acompanythuscannotinvestinsecuritytogaincompetitiveadvantageandinfactincursmorecostscomparedtocompanieshowinvestlessinsecurity.Besides,therearelessdirectincentivestoprotectconsumerinformation.Tradesecretsandothercompetitivelysensitiveinformationarevitalfortheoperationofbusiness,butconsumerinformationoftenisnot.58Theincentivetoprotectsecuritybestpracticesforcompetitivereasonsresultsinreluctancetosharesecurityknowledgeandbestpracticeswith competitors in order to achieve concerted practices concerning security. Forexample,Dutchbanksonlyrecently initiatedastructured informationexchangeaboutDDoSattacks.59If thesecuritybreachisfixedinternallytheimpactatcompanylevel islimited,butifotheractorsareunawareofthissecuritythreatandcannotimprovetheirowndefensesystems,negativeeffectsforsocietyemerge.Additionally,companiesdonothaveincentivestonotifyconsumers,becausethiswoulddamagetheirreputationandpossibleresultsinclaimsfordamages.Moreover,thishastheeffectthatconsumersdonothaveincentivestoimprovetheirownbehaviorrelatedtosecurity,becausetheyarenotawareofinsecuresituationsthatoccurred.

1.1.5 Governmentstriggeredtoadoptsecuritybreachnotificationlaws

InternetinsecurityhastriggeredtheEuropeanUniontoproposeSBNLs.60Theincreasedlevelandsignificanceofpersonaldata lossesstimulated theCommission toproposeapersonal data SBNL in Article 31 of the PDPR.61The increase of the frequency andseverityofnetworkandinformationsecurityincidentshasbeenamainreasonfortheCommissiontoproposealossofintegritySBNLinArticle14PCD.62TheconceptoftheSBNLisborrowedfromtheUnitedStates.TheinitiationofthetwoEuropeanproposalsforSBNLsformsapartof thedevelopmentofaEuropeanlegal frameworkconcerningcybersecurity.Thecybersecurity framework is extensivelydiscussed in chapter2 andtheoriginsofSBNLsinchapter3.

57RossAnderson,‘WhyInformationSecurityisHard–AnEconomicPerspective(UniversityofCambridge,December2001)<http://www.cl.cam.ac.uk/~rja14/Papers/econ.pdf>accessed25June2013.58Mulligan(n54)13.59‘Bankenbeloveninformatieovercyberaanvallenonderlingtegaandelen’(Tweakers,15April2013)<http://tweakers.net/nieuws/88507/banken‐beloven‐informatie‐over‐cyberaanvallen‐onderling‐te‐gaan‐delen.html>accessed13June2013.60Anderson(n25);Researchesinthefieldofsecurityeconomicshaverecommendedpolicyoptionsforgovernments,see:TylerMoore,‘Theeconomicsofcybersecurity:Principlesandpolicyoptions’(2010)3(3‐4)InternationalJournalofCriticalInfrastructureProtection103.61PauldeHertandVagelisPapakonstantiou‘TheproposedDataProtectionRegulationreplacingDirective95/46/EC:Asoundsystemfortheprotectionofindividuals’(2012)28(3)ComputerLawandSecurityReview130,140.62PCD(n4),2.

9

The United States, the European Union6364and the Netherlands65all have (pending)initiativesonSBNLs:

AnobviousfirstorderaimoftheSBNListogeneratesecuritybreachnotifications.66Thesecond order aim of the PDPR is “to ensure that individuals are in control of theirpersonal data and trust the digital environment”67in order to “to increase theeffectivenessofthefundamentalrighttodataprotection”.68ThesecondorderaimoftheSBNLinthePCDis:“tocreateacultureofriskmanagementandimprovethesharingofinformationbetweentheprivateandpublicsectors.”69

1.2 Researchobjectives

This thesis focuses on two fundamental principles of European law: subsidiarity andproportionality.Torecall:

This thesis provides to enhance the proportionality analysis of the EuropeanCommissionandrethinkmeasuringimpactonsociety.63PDPR(n4)64PCD(n4).In2009,theEuropeanUnionhadalreadyadoptedtwoDirectivesforbothalossofintegrityandapersonaldataSBNLfortelecommunicationproviders.65InterviewwithDavidvanDuren&BobRijkhoek,PolicyAnalysts,MinistryofSafetyandJustice.(TheHague,theNetherland,6November2012).66LiterallymentionedImpactassessmentPCD(n8),Annex13.67ImpactassessmentPDPR(n6),section5.3.1.68Ibid.69ImpactassessmentPCD(n8),section6.1.

Subsidiarity(Article5(3)TEU)concernsthequestionwhetheraEuropeanUnionapproachisnecessary,thuswhethertheaimsoftheSBNLcannotbeachievedsufficientlybytheMemberStatesindividually.

Proportionality(Article5(4)TEU)concerns:o 1.)aneffectivemeasure:themeasuresuitabletoachievetheaim

pursuedo 2.)anecessarymeasure,inthesensethatnolessrestrictive

alternativemeasuresareavailable.

TheUnitedStatesstartedtoadoptpersonaldataSBNLsatthebeginningofthiscentury.Californiawasthefirststatetoadoptlegislationin2002andotherstatesquicklyfollowed.In2006,27statesadoptedlegislationand16stateshadpendinglegislation.In2012,46statesadoptedanSBNL.

In2012,theEuropeanCommissionproposedtheDataProtectionRegulationthatcontainsageneralsecuritybreachnotificationlawforpersonaldata.In2013,theCommissionproposedaCybersecurityDirectivethataimstoharmonizenationallossofintegritySBNLs.

TheNetherlandsinitiatedanationallossofintegritySBNL.Inmid‐2013,thestructureofthefinallegislationisbeingsketchedbymeansofconsultationrounds.

10

The European Commission has tested proportionality only marginally in its impactassessmentofboththePDPRandthePCD.TheCommissiondoesnotsubstantiatehowthe SBNLswill achieve the aims pursued.70This is a deficiency in the analysis of thisproposedlegislation.TheCommissiondidnotmentioninwhatwaytheSBNLissuitabletoachievetheaim“toensurethatindividualsareincontroloftheirpersonaldataandthrust in the digital environment” and “to create a culture of risk management andimprovementofinformationsharingbetweenprivateandpublicparties”.Giventhefactthat there are no arguments aboutwhether the proposals are suitable to achieve theaims pursued, there is a societal risk for an ineffective law that imposes significantadministrativeburdensoncompaniesandcostsonsociety.Legalscholars,theEuropeanlegislatorsandtheCourt,usuallyassessthefirstaspectofproportionalitylimitedly.Inlegalresearch,thefirstaspectoftheproportionalitytestisregarded to “rarely cause problems” and is “the least problematic”.71The EuropeanCommission does not seem to substantiate causality verywell, as the PDPR and PCDindicate. The Court is regarded to be able “perfectly well to assess the causalrelationship between the measure and their objectives”. 72 However, insufficientsubstantial inputon thecomplexityof the effects canhamper thisassessment, as thisthesiswillshow.Insteadoffocusingonthefirstaspectofproportionality,thedebateinlegal researchconcentrateson the secondaspect; thebalance thatneeds tobe struckbetweenseveral(fundamental)rights.Thisthesischallengestheaforementionedassumptionthatdeterminationofcausalityisstraightforward.This isdonebyamoresubstantiveassessmentof theproportionalitytest.Thiscanincreaseknowledgeabouttheeffectsofthelaw.TheCommissiondidnotprovide information that gives a reasonable expectation of causality between themeasure and the objectives to be attained. This knowledge gap concerns amongstothers, which characteristics of an SBNL give incentives for compliance, whetherindividuals will get more in control of their data and whether the law benefitsinformationsharingandInternetsecurity.Moreover,thedesirabilityandvalidityoftheaimsoflegislationisunknown.Willthelawbeeffectivefromasocietalperspectiveiftheaims pursued are achieved altogether? An empirical analysis can enhanceunderstandingabouttheeffectsofSBNLs.Thereforethegoalofthisresearchistomoresubstantivelymeasureeffectsempiricallytoenhance theknowledgeabout theseeffects inorder to improve the important legalproportionalitytest.Theproblemwillbeanalyzedfromsecurityeconomicsperspective,because“aneconomicperspectivehasyieldedinvaluableinsightsintotheanalysisand

70NeitherinboththeproposedtextandimpactassessmentofthePDPRandthePCD.71Jans(n)240,245,thispaperconcernedtheproportionalitytestregardingmeasuresofMemberStates,butthesamelimitedattentionappliestomeasuresoftheEuropeanUnion.ThemarginaltestofproportionalityoftheEuropeanCommissioninboththePDPRandthePCDstressesthis.72Jans(n)245.

11

designof informationsecuritymechanisms.”73Theeffectsof the lawsproposedcannotbe measured directly, as they are not yet adopted. However, literature review andquantitativeanalysisontheeffectsofAmericanSBNLsandtheperceptionofthelawbymeansofqualitativeanalysiscanprovideaforecastoftheeffectsoftheproposedlaws.The second element of the proportionality test assesses the necessity of the twoEuropean proposals. The European legislature must always choose for the leastrestrictivemeasureavailable.TheSBNLcanrestrictcompanies,becauseitinfringesthefundamentalfreedomtoconductbusinessbyimposingadministrative,compliance‐andreputational costs.74Possibly, anotherapproach imposes fewerburdensoncompanieswhileattainingthesameobjectives.Theprincipleofsubsidiarityiscloselylinkedwithproportionalityandwillbediscussedaswell,althoughmorelimited.ThenecessityofaEuropeanUnionapproachispartlyapoliticalquestion,becausenationalparliamentsdeterminethelimitsofEuropeanUnionactiontoagreatextent.75ThisfundamentalquestionofEuropeanLawappropriatenessas such falls beyond the scope of this thesis. Instead, the arguments for a EuropeanUnionapproachregardingcybersecurityand inspecialSBNLsbrought forwardby theEuropeanCommissionaredisplayed.Inadditiontothis,insightsregardingsubsidiarityfromthecomparativeanalysisofU.S.SBNLsareaddedtothisview.Thisresearchaims toscrutinize theproportionalityofArticle31PDPRandArticle14PCDanddiscussargumentsforthenecessityofaEuropeancybersecurityapproach.

1.3 Researchquestions

Themainresearchquestionofthisthesisisformulatedasfollows:

TowhatextentdoesthecurrentEuropeanUnionapproachconcerninggeneralSBNLsstandthetestofproportionality?

Themainquestionisdividedintoseveralsubquestions.

73TylerMooreandRossAnderson,‘InternetSecurity’inMartinPeitz&JoelWaldfogel(Eds.),‘TheOxfordHandbookoftheDigitalEconomy’(OxfordUniversityPress2011)584.74ScarletExtended(n12).Thefreedomtoconductbusinesscanbeinfringedbyimposingunnecessaryadministrativeburdensoncompanies.75Chalmers(n2)129;insomeareas,theEuropeanUnionhasanexclusivecompetence,andthesubsidiarityquestionislessrelevant,butcybersecurityisnosucharea,seeArticle3TFEU.

α.)an analysis of the cybersecurity framework and European proposals forSBNLsfromaEuropeanlawperspective

β.)an analysis of the effects of an SBNLempirically froma security economicsperspective, by means of literature review, quantitative and qualitativeanalysis.

12

Part α:what is the legalpositionofanSBNL in relation to theEuropeanCybersecurityFramework?76

Partβ:whatareeffectsofsecuritybreachnotificationlaws?

Partγ:synthesisandconclusions.

1.4 Researchmethods

Thisresearchisconductedbyliteratureresearch,quantitativeandqualitativeanalysis.

1.4.1 Literatureresearch

The legal research in part α is for themost part literature research. This is done byreviewing various legal sources, such as scientific articles, policy documents of theEuropean Commission (communications, action plans and programs) and European

76Designparameters,treatedinchapter3,areaspectsoffunctionalcharacteristicsofthelaw.

Chapter2: WhatarethemaingoalsandpoliciesoftheEuropeancybersecuritypolicy

framework? WhatarethemainlegalbasesforEuropeancybersecuritylaws? HowarethePDPRandthePCDrelatedtotheselegalbases?

Chapter3:

WhataretheoriginsofSBNLsintheUnitedStates,theEuropeanUnionandtheNetherlands?

WhatistheopinionoftheEuropeanlegislatoronsubsidiarityandproportionalityoftheEuropeanSBNLs?

Whichdesignparameterscanbedistinguishedbasedonthetwolegislativeinitiatives?

Chapter4: WhateffectsofSBNLscanbefoundinliterature?

Chapter5&chapter6:

WhatistherelationbetweendesignparametersofU.S.SBNLsandtheamountofbreaches?

Chapter7:

Whateffectsdosecurityexpertsandmanagersexpect? Howdotheyreflectoneffectsfoundinliteratureandquantitativeanalysis?

Chapter8 Whatistherelationbetweentheeffectsfoundandtheaimsofthelegislation?

13

hardlaw(DirectivesandRegulations).Theliteraturereviewinpartβdiscussesfirstandsecond order effects of American SBNLs. For this purpose, authoritative scientificdatabases such as scopus, sciencedirect and ssrn are searched.77Frequently usedkeywords of this search are ‘security breach notification law’, ‘identity theft’, ‘databreachnotificationlaw’,‘disclosurelaws’and‘Internetsecurity’.

1.4.2 Quantitativeanalysis

A quantitative analysis is performed in part β in order to measure the relationshipbetweenthedesignparametersofSBNLsandtheamountofnotificationsgenerated.Inmid‐2013,thePDPRandPCDarestillproposedlegislation.Obviously,itisimpossibletoempiricallymeasuretheeffectsoftheproposedSBNLs.Fortunately, the U.S. has already adopted SBNLs.78Therefore, an American database,which contains securitybreaches, is used for the purpose of this thesis.79The datasetconcerns longitudinal data: data of multiple subjects (states) with multiplemeasurementsintime(years).Thislongitudinaldatasetallowsananalysisoftheeffectoftheadoptionofthelawontheamountofnotificationsinthedatabase.Moreover,theeffects of characteristics of the 46 American SBNLs that have been adopted can beresearched.Thosecharacteristicshavebeenconstructedbyauthoritativelegalsourcesandreviewofthelaw.The quantitative approach requires a careful interpretation of the statisticalrelationships.80This applies inparticular to thisquantitative analysis, that studies theeffectivenessof legislation.Only a few characteristics of the lawcanbe viewed in thelight of theamountofnotifications in thedatabase.Thus, limited in‐depthknowledgecan be gained about the ‘why?’ and the ‘how?’ of the results. Moreover, the dataconcerned is not collected for the purpose of this thesis, which implicates that itextensive analysis must be paid to the validity of the data.81Apart from this, it iscomplextodeterminecausalitybetweenthelawanditseffectsonsociety.Theeffectofthelawcannotbeisolatedeasilyfromtheeffectofnumerousothervariables,suchastheroleofISPs,theattitudetowardsriskinacountryandthenumberofInternetusers.82Thisimplicatesthatextraeffortsmustbeputincontrollingforsideeffects.83The approach of the quantitative analysis is as follows, taking this complexity intoaccount.First,adescriptiveanalysisandcomparisonofmeansandmediansisexecuted

77<www.scopus.com>;<www.sciencedirect.com>;<www.ssrn.com>.78Seesection3.1.1ofthisresearch.79ThedatabaseofthePrivacyBreachClearinghouseisextensivelydiscussedinsection5.1ofthisresearch.80Ibid,167.81PietVerschuren&HansDoorewaard,‘Designingaresearchproject’(Secondedition,ElevenInternationalPublishing2010),198;whichisdoneinsection5.1.82MichelvanEeten,JohannesBauer,HadiAsghari,ShirinTabatabaie,‘TheRoleofInternetServiceProvidersinBotnetMitigation:anEmpiricalAnalysisbasedonSpamData’(2010)OECDSTIWorkingPaper2010/5<http://search.oecd.org/officialdocuments/displaydocumentpdf/?cote=DSTI/DOC%282010%295&docLanguage=En>accessed11June2013.83Seesection5.1.4and5.1.5ofthisresearch.

14

todiscoverroughpatternsinthedata.Second,amoreadvancedfixedeffectsregressionisperformedtocontrolforseveralvariationsintimeandbetweenstates.Descriptive analyses, the Independent Samples T‐test and the non‐parametric Mann‐Whitneytest,areusedtodistinguishroughpatternsinthedata.Thedescriptiveanalysisisusedtoexaminetherepresentativenessofthedataondifferentlevels.Thestatisticaltestsareused todeterminewhether themeansandmediansof theamountofbreachnotificationsdiffersignificantlyfordifferentcharacteristicsofthelaw.Themoreadvancedfixedeffectsregressionisusedtocontrolforvariationbetweentimeandstates,becausethosevariationscansignificantlyinfluencethedependentvariable.The strength of the fixed effectsmodel is that it allows to control for certain omittedvariables.84The regression ‘automatically’ controls for differences between states,which are constant over time and for differences over time, which are constant overstates. The following box displays a short explanation about basicmechanism of thefixedeffectsregression.85

Thelongitudinaldatasetisessentialforafixedeffectsregression,becauseitallowsforthe measurement of changes of the dependent variable because there are multiplepointsintimeneededtomeasuretheamountofnotificationsinastate.Ananalysisformeasurements over time is not allowed within a standard OLS regression analysisbecause multiple measurements per subject (state) result in forbidden correlations

84See:MarnoVerbeek,AGuidetoModernEconometrics(FourthEdition,Wiley,2012),chapter10:ifanomittedvariabledoesnotchangeovertime,thananychangesinthedependentvariablecannotbecausedbytheomittedvariable.85JosW.R.Twisk,AppliedMultilevelAnalysis(CambridgeUniversityPress,2006),chapter6.

ThemechanismofthefixedeffectsregressionOne could imagine that the amount of firms in a state determines the amount ofnotificationsinastate.Anormalregression,thatomitsthecontrolvariablefirmsperstate,wouldindicatethatlargestateshavemoreeffectivelaws,becauselargestatesgeneratemorenotifications.Thisisafalseconclusion,becausethevariablefirmsperstate is omitted from the analysis and the amount of notifications depends on thenumberoffirmsinastate.The fixed effects regressionmeasures the changes in the dependent variable from2005until2012.Astatewithalargenumberoffirmsin2012,suchasTexas,alreadyhad a large number of firms in 2005. If there are no changes in the amount ofnotificationsareobserved,thismeansthattheadoptionofthelawin2009(probably)did not have an effect. In fact, the fixed effects regression assumes that omittedvariables remain constant over time, because than any changes of the amount offirmsarenot causedby theomittedvariable.The sameapplies for variationsovertime, which are constant over states. The automatic control for these kinds ofvariablesresultsinamoreaccuratemodel.

15

within the dependent variable.86These correlations are allowed in fixed effectsregression,becauseanassumptionismadeconcerningthecorrelationbetweenmultiplemeasurementspersubject.87Fixedeffectsregressionisregardedasasophisticatedstatisticaltool,whichalsoneedscompletedata.88There is a riskof over‐interpreting the results if thedata isnot veryaccurate. On the other hand, descriptive analysis and a comparison of means do notcontrolforvariationsovertimeandstate;theyaremorebasicstatisticaltools.Thereforeresultsofthetwoanalyseswillbeinconjunctionwitheachother.

1.4.3 Qualitativeanalysis

Thequalitativeanalysisconcernsbothexploratoryandofficial interviews. Acompletelist of the experts interviewed can be found in the bibliography. The exploratoryinterviewswithcybersecurityexpertswereheldatthestartof theresearch.Basedonthese interviews, the thesis problem definition is constructed. The exploratoryinterviewsarealsoperformedtoreceivemoresubstantiveinformationabout,amongstothers, theway inwhich theEuropean legislature thinksabout impactonsocietyandthemechanismofthefixedeffectsregression.Hereafter,foursemi‐structuredexpertinterviewswithopen‐endedquestionshavebeenconducted to inquire the firstandsecondordereffectsofSBNLsand to reflecton thequantitative analysis. The open‐end character allows for input of respondents onaspects thatarenotasked.Thesemi‐structuredsettingalsoallowsdeviation fromthestorylinetoexplorerelevantaspects.Theinterviewscannotbeusedtomeasureeffectsdirectly,becausethereisariskofstrategicansweringandinmostcases,thereisnoreallife experience with a general SBNL. Instead, only the perception of effects can bemeasured.Apartfromaskingforeffects,therespondentsalsohavebeenaskedtoreflectontheresultsofthequantitativeanalysis.Theyareaskedtovaluethestatisticalresultsandthequalityofthedataset.ThewholeinterviewtemplateisdisplayedinappendixA.

86Theamountofbreachesinastatein2007in,forinstance,Californiawillprobablybecorrelatedwiththeamountofnotificationsin2008,becausetheycomefromthesamestate,see:HowardSeltman,ExperimentalDesignandAnalysis(Publishedonline,2009),chapter15.<http://www.stat.cmu.edu/~hseltman/309/Book/chapter15.pdf>accessed11June2013.87Seesection6.2.1ofthisresearch.88Fixedeffectscanbedistinguishedfromrandomeffects.InterviewwithThijsUrlings,AssistentProfessor,InnovationandPublicSectorEfficiency,DelftUniversityofTechnology(Delft,theNetherlands,3May2013):“Fixedeffectsdeliversa‘withinestimator’,whichanalysesthedifferencesintimewithinastate.Randomeffectsusesacombinationofa‘withinestimator’anda‘betweenestimator’(alsoobservesdifferencesbetweenstates.)Therandomeffectsmethodusesvariationsinthedatamoreefficiently,butpreferencewillbegiventofixedeffectsiftheresearchunitsareuniqueandofimportance,forinstanceindividualstates.Thisisthecaseinthecurrentanalysis.

16

1.5 Theapproach

Asalreadymentioned, this thesis consists of threeparts. Partα is a theoretical studyfrom a legal perspective. Part β is an empirical study from a security economicsperspective.Partγcontainsthesynthesisandconclusionsofpartαandpartβ.Partαischaracterizedbyaconvergingapproach.Inchapter2,thegeneralconceptsanddevelopmentsoftheEuropeancybersecurityframeworkareanalyzed.Thisisdonefromapolicyperspectiveandalegalperspective.Hereafter,thediscussionnarrowsdowntoArticle31PDPRandArticle14PCDinchapter3.Theorigins,proportionalityanddesignparametersofthelawsareanalyzedfromalegalperspective.Thedesignparametersofthelawformsubstantiveinputfortheempiricalanalysisinpartβ.Partβischaracterizedbyathreefoldapproach.TheanalysisoftheeffectsofSBNLsfroma security economics perspective is performed by three different research methods.First, analytical suggestions and empirical measurements about these effects aredistinguishedinliterature.Second,anAmericandatasetisusedtoanalyzetheeffectsof(characteristics)ofthelawontheamountofnotifications.Third,aquantitativeanalysisisperformedreviewtheperceptionofDutchsecurityexpertsandmanagersoneffectsofSBNLsandtheoutcomesofthequantitativeanalysis.In part γ, the results of the three types of analysis are synthesized. This results in aconceptualframeworkandacomparisonoftheeffectswiththeaimsofthelegislation,analyzedinpartα.Hereafter,theconclusionsandrecommendationsoftheresearcharepresented.Theapproachisdisplayedinthefigureonthenextpage.

17

Chapter2 Europeancybersecurityframework

Chapter1 Introduction

Chapter7 Qualitativeanalysis

Chapter5&6 Datapreparationandquantitativeanalysis

Chapter4 Literaturereview

Chapter3 Securitybreachnotificationlaws

Partα Partβ

Designparam

eters

EU

EU

NL

NL

EU

US

US

NL

EU

US

Chapter8 Synthesis

Chapter9 Conclusionsandrecommendations

Partγ

Figure2:theapproachofthisthesis

18

Partα:aEuropeanlawperspectiveoncybersecurityandsecuritybreachnotificationlaws

AEuropeanlawperspectiveoncybersecuritynecessitatestheintroductionoftheEuropeanCybersecurityFramework.

TheEuropeanCybersecurityFrameworkconsistsofapolicyframeworkandalegalframework.

Withinthepolicyframework,themaingoalsofEuropeancybersecuritypolicyaredisplayed.

Withinthelegalframework,first,themainlegalbasesofEuropeanlawarediscussed.Second,someexamplesaregivenofimportantsecondarylawinthefieldofcybersecurity.

Furthermore,theoriginsofSBNLsinAmericaandEuropeareintroduced. Hereafter,theconceptproportionalityisdevelopedfurtherinrelationtoArticle

31PDPRandArticle14PCD. TheassessmentoftheEuropeanSBNLsresultsintheconstructionoffunctional

characteristicsofthelaw,whichareusedinpartβforanalyzingthefirstordereffectofthelaw.

KnowledgeabouteffectsoftheSBNLissubstantiveinputforthelegalproportionalitytest.

19

2 TheEuropeanCybersecurityFramework

A European law perspective on cybersecurity necessitates a description of relevantEuropeanpolicygoalsandlaws:theEuropeanCybersecurityFramework.Insection2.1,the European policy framework is introduced. The legal framework is introduced insection2.3.The legal foundationsofcybersecurity in theTreatiesand theCharterareaddressed first. TheEuropean legislatorhasbecome increasingly active topursue thegoals of the European cybersecurity policy and the objectives in theTreaties and theCharterbytheadaptationofasetofrulesrelatingtobothcybercrimeandcybersecurity.In section 2.4, the PDRP and the PCD, which are the main topics of discussion, areaddressed.Furthermore,anexampleofaproposalforenhancedcybercrimelegislationis given: the proposed Directive on attacks against information systems (hereafter:PDIS).

2.1 Europeanpolicyframework

In this section, cybercrime will be distinguished from cybersecurity. Hereafter, anoverviewisgivenofthepolicygoalsandactionslaiddowninEuropeanUnionsoftlaw.

2.1.1 Cybercrimeversuscybersecurity

The concepts cybercrime and cybersecurity are both addressed in European policydocuments, but are distinguished by policy makers and academic researchers.89CybercrimeconcernstheprosecutionsofcriminalsontheInternetwhilecybersecuritypolicyrelatestotheresilienceofcomputersystemsregardingcyber‐attacks.Cybercrimeisdefinedas:

“the intentionalaccesswithout right in an informationsystemwiththeintenttocreatematerialorimmaterialdamage.”90

Andcybersecurityisdefinedas:

“the protection of information and information systems againstunauthorized access or modification of information, whether instorage, processing, or transit, and against denial of service toauthorized users. Information security includes those measuresnecessarytodetect,documentandcountersuchtreats.”91

89IntheNetherlands,theDutchauthoritiesusethisstrictdistinction.InterviewwithDavidvanDuren&BobRijkhoek,PolicyAnalysts,MinistryofSafetyandJustice.(TheHague,theNetherlands,6November2012).90EuropeanCommission‘ProposalforaDirectiveonattacksagainstinformationsystemsandrepealingCouncilFrameworkDecision2005/222/JHA’(ProposalforaDirective)COM(2010)517final,Article3.91KarldeLeeuw‘Introduction’,inKarldeLeeuw&JanBergstra(eds.),TheHistoryofInformationSecurity:AComprehensiveHandbook(Elsevier,2007)2‐3.

20

ThepoliceandthepublicprosecutorperformcriminallawinvestigationontheInternettotraceandprosecutecybercriminals.Manystakeholders,suchascompanies,end‐usersand the government, are involved in attaining a high level of cybersecurity.92Hence,Cybercrime isanextensionofordinarycriminal law in thevirtualenvironment,whilecybersecurity is a completely new policy area.93Combating crime with an Internetdimensionrelatestothe‘ordinary’criminalinvestigation.

2.1.2 Europeanpolicyobjectives

ThehighlightsoftheEuropeanpolicyframeworkaremappedinthissectionfrom2001.TheConventiononCybercrimewassignedin2001,andtheEuropeanUnionintroducedcybersecurity policy in 2001 as well.94The cybercrime and cybersecurity policyobjectivescanbefoundinEuropeansoftlaw.95Insoft law,themaingoalsandtasksofthe European Union are mentioned that should be attained by, amongst others, theadoptionoflegislation.96This European policy framework gradually developed since 2001. There are manyrelevantdocuments thatpavedtheway forextensivecybersecurityproposals,suchasthe PDPR and the PCD. A Communication of the Commission defined cybersecurity(calledNetworkandInformationSecurity)as:

“theabilityofanetworkoran informationsystem to resist, at agiven level of confidence, accidental events ormalicious actionsthat compromise the availability, authenticity, integrity andconfidentiality of stored or transmitted data and the relatedservices offered by or accessible via these networks andsystems.”97

TheCommission communicationof2006ona secure information societyupdates thestrategy of 2001 for new developments, such as increased deployment of mobileservicesandincreaseInternetinsecurity.98In2009,theCommissionproposedanaction

92BasedoninterviewswithDavidvanDuren&BobRijkhoek,PolicyAnalysts,MinistryofSafetyandJustice.(TheHague,theNetherlands,6November2012)andAxelArnbak,PhDstudent,InstituteforInformationLaw,UniversityofAmsterdam(Amsterdam,theNetherlands,7November2012).Seealso:MichelJ.G.vanEetenandJohannesM.Bauer,‘SecurityDecisions,IncentivesandExternalities’(2008)(OECDSTIWorkingPaper2008/1)<www.oecd.org/Internet/ieconomy/40722462.pdf>accessed14June2013.93PaulHunton,‘ThegrowingphenomenonofcrimeandtheInternet:Acybercrimeexecutionandanalysismodel’(2009)25(6)ComputerLaw&SecurityReview528,529.94ConventiononCybercrime2001;EuropeanCommission‘CommunicationonNetworkandInformationSecurity’(Communication)COM(2001)298final.95Article288TFEUliststhedifferenttypesoflegislativeactsintheEuropeanUnion96SoftlawisEuropeanlegislationthatisnotlegallybinding,see:LindaSendenandSachaPrechal,‘DifferentiationinandthroughCommunitySoftLaw’,inBrunoDeWitte,DominikHanfandEllenVos(eds),TheManyFacesofDifferentiationinEULaw(Intersentia,2001),182,197.97COM(2001)298final(n94)ExecutiveSummary.98EuropeanCommision,‘AstrategyforaSecureInformationSociety–Dialogue,partnershipandempowerment’(Communication)COM(2006)251final;‘ProposalonaEuropeanStrategyforInternetSecurity’(EuropeanCommissionRoadmap,November2012)

21

plan on Critical Information Infrastructure Protection (CIIP) and adopted a revisedregulatory framework for electronic communications, which included new provisionssuch as security breaches notifications.99This regulatory framework provides anoverviewofthemostimportantlegislationconcerningthetelecommunicationssector.In the last few years, the European Commission prioritized cybersecurity on theEuropean policy agenda. In 2010, trust and security became a Chapter of the DigitalAgenda for Europe.100The Stockholm Programme underlined the importance of acybersecurity agenda.101The 2012 proposal on a European Strategy for InternetSecurityaimstofurtherembedacoherentEuropeancybersecuritypolicyframeworkinnational justice and governance systems.102 A 2013 joint Communication on acybersecurity strategy for the European Union is currently the culmination of thepreviousinitiativesoftheEuropeanCommission.103The goals of the European policy framework, synthesized from the aforementionedpolicydocuments,canbedividedinfourparts.First,theEuropeanUnionaimstofostercooperation and share best practices between Member States. Second, the EuropeanUnion aims to stimulate increased security efforts in end‐products. Third, incidentresponsecapabilityhastobeincreasedinordertomoreeffectivelymitigatetheimpactof incidents. Fourth, it aims to increase R&D investments in cybercrime. Severalplatforms are constituted to pursue the aforementioned goals.104Themost importantplatforminthecontextof thisthesis iscybersecuritythink‐tankENISA(theEuropean,NetworkandInformationSecurityAgency).ENISAistheUnion’smainbodyofexpertisethat aims to develop and enhance andmonitor cybersecurity policy goals, such as asecuritybreachnotificationobligation.105ThegoalsandtheplatformsoftheEuropeanpolicyframeworkaredisplayedinthefigurebelow.106<http://ec.europa.eu/governance/impact/planned_ia/docs/2012_infso_003_european_Internet_security_strategy_en.pdf>accessed12June2013.99EuropeanCommission,‘ProtectingEuropefromlargescalecyber‐attacksanddisruptions:enhancingpreparedness,securityandresilience’(Communication)COM(2009)149final100‘DigitalAgendaforEurope’(EuropeanCommission,2013)<http://ec.europa.eu/digital‐agenda/>accessed21January2013.101EuropeanCouncil,‘TheStockholmProgramme–AnopenandsecureEuropeservingandprotectingcitizens’(Notice)[2010]OJC115/01.102ProposalonaStrategyforInternetSecurity(n98).103EuropeanCommission,‘CybersecurityStrategyfortheEuropeanUnion’(JointCommunication)JOIN(2013)1final.104ThemostnotableplatformsoftheEuropeanCybersecurityFrameworkare:EISAS(EuropeanInformationSharingandAlertSystem),EFMS(EuropeanForumforMemberStatesonpublicpoliciesforsecurityandresilienceinthecontextofCriticalInformationInfrastructureProtection),EC3(EuropeanCybercrimeCentre),ENISA(EuropeanNetworkandinformationSecurityAgency,ITU(InternationalTelecommunicationsUnion)andEP3R(EuropeanPublic‐PrivatePartnershipforResilience).105TheproposalforaRegulationconcerningENISAgivesanewfiveyearmandateandenhancedinstrumentsforthefurtherdevelopmentoftheEuropeancybersecurity,see:EuropeanCommission‘ProposalforaRegulationconcerningtheEuropeanNetworkandInformationSecurity’(ProposedRegulation)COM(2010)521final.106EuropeanCommission,‘ProtectingEuropefromlargescalecyber‐attacksanddisruptions:enhancingpreparedness,securityandresilience’(Communication)COM(2009)149final;‘Digital

22

Figure3:theEuropeanPolicyFramework

2.2 TheEuropeanlegalframework:theTreatiesandtheCharter

TheTreatyonEuropeanUnion (TEU), theTreatyon theFunctioningof theEuropeanUnion(TFEU)andtheCharterofFundamentalRightsoftheEuropeanUnion(Hereafter,theCharter)arethemainsourcesofprimarylawoftheEuropeanUnion.107Ananalysisof the sources of primary law of the EuropeanUnion is necessary to assess the legalbasis of the European Cybersecurity Framework. The Treaties, amongst others,constitutethestructure,poweranddistributionofcompetencesoftheUnion.WithintheCharter,fundamentalrightsareenshrined.108TheEuropeanUnionisasupranationalinstitution.109Its28MemberStatespartlygaveup national sovereignty in order to achieve societal goals that were not attainableindividually.110Europeanlawisinprinciplesupremeovernationallawandlegislationis

AgendaforEurope’(n100);‘InterviewMikkoHypponen’(Tweakers,20Oktober2012)<http://tweakers.net/video/6478/mikko‐hypponen‐over‐cybercrime‐en‐digitale‐oorlog.html>accessed22October2012.107ConsolidatedVersionoftheTreatyonEuropeanUnion[2008]OJC115/13;ConsolidatedVersionoftheTreatyontheFunctioningoftheEuropeanUnion[2008]OJC115/47;CharterofFundamentalRightsoftheEuropeanUnion[2000]OJC364‐1.108TheCourtscaselawdeterminestoagreatextenttherolefundamentalrightsplayinEuropeanUnionlaw,seesection3.2ofthisresearch.109GraigdeBúrca(n3)2,3.110TheMemberStatesoftheEuropeanUnionare(yearofentry):Austria(1995),Belgium(1952),Bulgaria(2007),Cyprus(2004),Croatia(2013),CzechRepublic(2004),Denmark(1973),Estonia(2004),Finland(1995),France(1952),Germany(1952),Greece(1981),Hungary(2004),Ireland(1973),Italy(1952),Latvia(2004),Lithuania(2004),Luxembourg(1952),Malta(2004),

Fostercooperationandsharebestpractices

Improvesecurityinproducts,networks&services

ImproveR&DinvestmentsinInternetsecurity

• Betweenmemberstates• Internationally• Throughpublicprivate

partnerships.

• Forinstance:securitybreachnotificationlaws(Action34oftheDigitalAgendaforEurope)

Enhanceincidentresponsecapability

EuropeanPolicy Framework

23

directly applicable.111Supremacy means that national legislation that conflicts withEuropeanlawhastobesetaside.112DirectapplicabilitymeansthatEuropeanlegislation,once it is adoptedaccording to theEuropean legislativeprocedure, instantly becomespartofnationallaw.113NationalparliamentscannotobstructtheadoptionofEuropeanlaw after the completion of the legislative procedure.114European legislation thus inprinciplecanbeaneffectivetooltoachievesocietalgoalsfortheEuropeanUnioninitsentirety.A general political debate regarding the EuropeanUnion concerns the distribution ofcompetencesbetweentheEuropeanUnionandtheMemberStates:theextenttowhichnational autonomy should be retained.115The distribution of competences regarding(cyber)security is a subject of tight balancing. Member States historically demandedautonomy todetermine their own legislation concerning criminal justice andnationalsecurity.116But,theEuropeanUnionisincreasinglyallowedbytheseMemberStatestosetlegislationinthefieldofcybersecurity,eitherbymeansofSingleMarketlegislation,theAreaofFreedom,SecurityandJusticeortheprotectionofFundamentalRights.TheSingleMarketprovisionsmostly relate to theeconomicgoals that the Internet shouldattain, buthas also social objectives.TheAreaofFreedom, Security and Justice is thelegal basis for cybercrime legislation. The Charter safeguards the fundamental rightsrelatingtocybersecurity.

2.2.1 TheEuropeanSingleMarket

The European legislator adopts rules concerning cybersecurity in the context of theEuropean Single Market.117Single Market legislation aims to “integrate the nationalmarketsof theMemberStates intoasingleEuropeanmarket”.118TheSingleMarket isdefinedinArticle26(2)TFEUas:

Netherlands(1952),Poland(2004),Portugal(1986),Romania(2007),Slovakia(2004),Slovenia(2004),Spain(1986),Sweden(1995)andtheUnitedKingdom(1973).111Ibid.256‐261;CaseC‐6/64Costa/ENEL[1964]ECR585;CaseC‐26/62VanGendenLoos[1963]ECR1.112JanJans,RoeldeLange,SachaPrechalandRobWiddershoven,EuropeanisationofPublicLaw(EuropaLawPublishing2007),63.113ThebasisfordirectapplicabilityislaiddowninArticle288TFEU.ThemostcommonlyusedordinarylegislativeprocedureislaiddowninArticle289TFEU.114Thereishoweverapossibilityfornationalparliamentstoobstructthelegislativeprocedureassuch,calledthe‘yellowcard’ofnationalparliaments.Ifonethirdofthenationalparliamentshasareasonedopinionthatadraftlegislativeactisnoncompliantwiththeprincipleofsubsidiarity,thisdraftactmustbereviewed.(Article69TFEU;Article6andArticle7oftheProtocol(No2)ontheApplicationofthePrinciplesofSubsidiarityandProportionality[2007]OJC‐310/207);SeealsoTonvandenBrink,‘TheSubstanceofSubsidiarity:TheInterpretationandMeaningofthePrincipleafterLisbon’inMartinTrybusandLucaRubini(eds)TheTreatyofLisbonandtheFutureofEuropeanLawandPolicy(EdwardElgarPublishing2012).115GraiganddeBúrca(n3)291.116Ibid,926.117Alsocalled:theInternalMarket.118Chalmers(n2)674;TheSingleMarketissometimesalsocalledtheinternalorcommonmarket.

24

“an area without internal frontiers in which the free movement ofgoods,persons,servicesandcapitalisensuredinaccordancewiththeprovisionsoftheTreaties.”

TheEuropeanUnionstrivesforahighlycompetitivesocialmarketeconomy(Article3(3)TEU).TheSingleMarketlegislationhasasocialandaneconomicobjective:fromaneconomic point of view, the absence of trade barriers and distortions of competitionought to stimulate interstate trade and consequently economic growth. An advancedSingleMarketshouldresultinalevelplayingfieldforEuropeancompaniesinoperatingtheirbusinesses.Thishomogeneitybringseconomicbenefitssuchaseconomicsofscalebecause, for instance, it is much easier for companies to conduct their businessesabroad. From a social point of view, Single Market legislation harmonizes nationallegislationthataimstoprotectnationalinterests.TheEuropeanlegislatorcandecideinwhichformharmonizationisnecessary.Itcanputanon‐economic,social,interestintheforeground, such as public safety, provided that legislation meets the economichurdle.119The European Single Market requires cybersecurity because a secure Internet is aprerequisite for the digital economy. The European Commission explains this in theexplanatorymemorandumofthePCD:

“networkandinformationsystemsplayanessentialroleinfacilitatingthecross‐bordermovementofgoods,servicesandpeople.Theyareoften interconnected, and the Internet is global in nature. Given thisintrinsic transnational dimension, a disruption in oneMember Statecan also affect other Member States and the EU as a whole. Theresilience and stability of network and information systems istherefore essential to the smooth functioning of the InternalMarket”120

Internet insecurityhinderscompanies inoperating theirbusiness.Thiscanhinder theFreedom to Provide Services, laid down in Article 55 and 56 TFEU. In this situation,European legislation to align cybersecurity initiatives can be justified, becauselegislation byMember States individuallywill result inmarket distortions. Individuallegislation, such as national SBNLs, results in different and potentially unequaltreatmentofcompaniesconductingbusinessintheSingleMarket.AtotalSingleMarketin the fieldof thedigital economyhasnotbeenattainedyet, because there aremanyobstacles for interstate digital trade, such as different data protection laws. AninfluentialreportabouttheSingleMarketledbyMarioMonticoncludedthat:“thereisa

119Graig&deBurcá(n3)607;CaseC‐379/98GermanyvParliamentetCouncil(TobaccoAdvertisingI)[2000]ECRI‐8419;TherecanbeariskforunderestimatingthesesocialinterestsiftheyconflictwiththeeconomicaimsoftheSingleMarket.120PCD(n4),ExplanatoryMemorandum.

25

strongdemandforaneffectivelevelplayingfield,inareassuchasthedigitaleconomy,wheretheSingleMarketdoesnotyetexist”.121TheEuropeanlegislatorhastheaimtoattaintheSingleMarketforthedigitaleconomy.Thereisalayeredlegalbasefortheadoptionoflegislationtofulfillthisaim.Article26TFEU states the goals of the Single market, while the main legal base for adoptinglegislation isArticle114TFEU.However, this legislativeharmonizingpowerbasedonArticle114TFEUisboundto limits: legislationmustcontributetoremovingobstaclesfor interstate trade or distortions of competition.122Article 16 TFEU is important forcybersecurity legislation as well, as it concerns the protection of personal data fornaturalpersons.123Article16TFEUcanberegardedasa lexspecialisof114TFEU.Theregulation of data protection by the Member States individuallycan result in marketdistortionsandsuboptimalprotectionofindividuals.Theprotectionofpersonaldataisalsoregardedasafundamentalright,enshrinedinArticle8oftheCharter.124Thetwoprovisionshaveanequalvalue.This isstipulatedbythefactthatArticle16TFEUandArticle 8 of the Charter have the same formulation.125The importance of theestablishmentof cybersecurity in the context of the SingleMarket is alsoemphasizedwithregardtospecificinfrastructures,suchasenergysecurity(Article194(1)(b)TFEU).

2.2.2 TheAreaofFreedom,SecurityandJustice

Cybercrime is regulated in the context of the Area of Freedom, Security and Justice(hereafter: AFSJ), enshrined in Title V of the TFEU.126The general objectives of theUnion,laiddowninArticle3(2)TEU,statetheimportanceoftheAFSJ.Cybercrime is mentioned in Chapter 3 of Title V of the TFEU. This section interaliaregulates judicial cooperation in criminal matters. Combatting cybercrime is alsoexplicitlymentionedasanaspectoftheAreaofFreedomSecurityandJusticeinArticle67(3) TFEU: “The Union shall endeavor to ensure a high level of security throughmeasure to prevent … crime”. Article 83(1) TFEU is a legal basis for the Europeanlegislatortoestablishminimumrulesforinteralia,thefightagainst‘computercrime’:

121MarioMonti‘ANewStrategyfortheSingleMarket,attheserviceofEurope’sEconomyandSociety(EuropeanCommission,9May2010),27<http://ec.europa.eu/bepa/pdf/monti_report_final_10_05_2010_en.pdf>accessed13June2013.122Chalmers(n2)697;TobaccoAdvertisingI(n119)para86.123Carl‐OttoLenzandKlaus‐DieterBorchardtEU‐VerträgeKommentarnachdemVertragvonLissabon(BundesanzeigerVerlag2010)366.124Thoserightsarenotabsolute,see:VolkerSchecke(n1).125Lenz&Borchardt(n123)365.126BeforetheTreatyofLisbon,theEuropeanUnioncontainedaseparatepillarforPoliceandJudicialCo‐operationinCriminalMatters.Themainlegalinstrumentofthispillar,theFrameworkDecision,didnothaveaverticaldirecteffectsuchastheDirective.TheCourthoweverstatedinthePupinocasethatFrameworkDecisionhadaformofindirecteffect(consistentinterpretation),whichmarkedatendencytoincreaseEuropeanpowerinthefieldofsecurityandjustice.See:CaseC‐105/03CriminalproceedingsagainstMariaPupino[2005]ECRI‐5285,para31;AndréKlip,EuropeanCriminalLaw,anintegrativeapproach(secondedition,Intersentia2012),18.

26

“TheEuropeanParliamentandtheCouncilmay,bymeansofDirectivesadopted in accordance with the ordinary legislative procedure,establish minimum rules concerning the definition of criminaloffencesandsanctionsintheareasofparticularlyseriouscrimewitha cross‐border dimension resulting from the nature or impact ofsuch offences or from a special need to combat them on a commonbasis”

The regulationof crimeandsecurity in thecontextof theEuropeanUnion focusesonadoptingminimumrulesconcerning thedefinitionandsanctioningofcybercrime.ThePDISwillbediscussedasarelevantexampleofEuropeancybercrimelaw.

2.2.3 TheCharterofFundamentalRights

Asecure Internet isdesirable inorder toguaranteenon‐economicvalues, suchas thefreedomofspeechandtherightofprivacythroughtheprotectionofpersonaldata.127InEuropean law, these fundamental rights are enshrined in theCharter of FundamentalRights of the European Union. The Charter was introduced in December 2000 as adocument to show the achievements of the EU on the terrain of fundamental rights.However, its legal status remained ‘undetermined’ at the time.128With the entry intoforceoftheTreatyofLisbon,Article6TEUgrantedtheCharterthesamelegalvalueasthe Treaties. This equal legal value stressed the fact that fundamental rights form anintegral part of the assessment of legislation. The European legislature must, whenproposing cybersecurity laws, such as the SBNL, take into account the fundamentalrightsasembodiedintheCharter.ThePDPRisevendesignedtosafeguardtherightofprotection of personal data in the Charter. The second element of proportionalityprincipleassessestheproperbalancebetweentheaimspursuedinthe legislationandfundamentalrights.129TheCharterwasoriginallydesignedtoreflecttheexistingtraditionalfundamentalrightsoftheEU.130However,thedraftersoftheCharteralsoaddedotherfundamentalrights,which are outside the scope these traditional fundamental rights. Article 16 of theCharter for instancecontainsa fundamental rightof the freedomtoconductbusiness,whichisnotmentionedintheECHR.ThisthesisdiscussesthePDPRandthePCD.Assaid,EuropeanUnioninstitutionsmusttakeintoaccountfundamentalrights,alsowhenproposinglegislation.Thiswasdecidedfar before the adoption of the Charter. In the Stauder case, fundamental rights arerecognized as general principles of European law. 131 The Court stipulated in

127DanielDrewer&JanEllermann‘Europol’sdataprotectionframeworkasanassetinthefightagainstcybercrime’(Europol,19November2012),393<https://www.europol.europa.eu/sites/default/files/publications/drewer_ellermann_article_0.pdf>accessed11June2013.128Graig&deBurcá(n3)394.129Ibid,section3.2.130MainlytherightsintheEuropeanConventiononHumanRights(ECHR).131SybeA.deVries,‘TheProtectionofFundamentalRightswithinEurope’sInternalMarketafterLisbon–AnEndeavourforMoreHarmony’inSybeA.deVries,UlfBernitzandStephen

27

InternationaleHandelsgesellschaftthatrespectforfundamentalrightsformsanintegralpartofthegeneralprinciplesoflawprotectedbytheCourtofJustice.TheVolkerScheckecasefirstgaveaclearnotionontherequirementsfordesigningEuropeanlegislationinrelation with the obligations flowing from the Charter.132It states the validity ofEuropeanUnion Regulationsmust be assessed in the light of the Charter.133The casealsostressedthatunlikeabsoluterightssuchastheprohibitiontotortureandtherightof life, most fundamental rights are not absolute, for example, fundamental rightsrelated to Internet security, which are at issue in this thesis. These rights must beconsideredinrelation to its functioninsocietyandthusalso inrelation tootheraimsthatareachievedbymeansoflegislation.134MemberStatesalsohave to take intoaccount thefundamentalrightsenshrinedin theCharter,justasEuropeaninstitutions.135ThisobligationonlyappliestosituationswhentheMemberStatesimplementEUlaw,whichisinterpretedbroadly(Article51(1)oftheCharter).Forinstance,discretionarypowersconferredonMemberStatesbyaEuropeanRegulationfallwithinthescopeofArticle51oftheCharter.136MemberStatescaninvoketheCharter for several reasons, for instance to justify a restrictionon freemovementrulesbya fundamentalrightorbyanotherpublic interest thatmustbe interpretedinthelightoffundamentalrights.137The PDPR and the PCD mention several fundamental rights associated with theprovisions it contains.138The PDPR mentions the respect for private and family lifeprotected by Article 7 of the Charter, the freedom of expression (Article 11 of theCharter); freedom to conduct business (Article 16); the right to property and inparticulartheprotectionofintellectualproperty(Article17(2));theprohibitionofanydiscriminationamongstothersongroundssuchasrace,ethnicorigin,geneticfeatures,religionorbelief,politicalopinionoranyotheropinion,disabilityorsexualorientation(Article21);therightsofthechild(Article24);therighttoahighlevelofhumanhealthcare(Article35);therightofaccesstodocuments(Article42);therighttoaneffectiveremedyandafairtrial(Article47).139ThePCDstatesintheexplanatorymemorandumthat concerted practices in the context of European cybersecurity “can have a strong

WeatherillTheProtectionofFundamentalRightintheEUafterLisbon(HartPublishing,2013)194;Case29/69ErichStaudervCityofUlm–Sozialamt[1969]ECR419.132VolkerSchecke(n1).133Ibid,para.46.134Ibid,para.48andforinstance:caseC‐112/00Schmidberger[2003]ECRI‐5659,para.80.135Graig&deBurcá(n3)394.;[2000]OJ394;DeVries(n131)195;alsoseeArticle52oftheCharter,discussedinsection3.2.136Seeforinstance:joinedCases‐411/10andC‐493/10N.S.vSecretaryofStatefortheHomeDepartment[2011]ECRI‐0000,paras64‐69.137Seefortheformersituation:Schmidberger(n134)andforthelattersituation:CaseC‐260/89EllinkiRadiophoniaTileorassiAE(ERT)vDimotikiEtairiaPliroforissisandSotiriosKouvelas[1991]ECRI‐2925.Therearemanyothercasesinthisintensivelydiscussedtopic.ThisthesisaimstoexamineproposalsoftheEuropeanlegislatureandthereforethissituationwillnotbeelaborateduponfurther.138PDPR(n4),ExplanatoryMemorandum,section3.3.139Ibid,ExplanatoryMemorandum,section3.2.

28

positive impact for the effective protection of fundamental rights, and specifically theright to the protection of personal data and privacy.”140In addition to that, the PCDneedstobeimplementedaccordingtotheFundamentalRightsintheCharter.141

2.3 Proposalsforcybercrimeandcybersecuritylegislation

SecondarylegislationeffectuatestheUnion’scompetencefixedinthesourcesofprimarylawandisusedtoattaintheUnion’sobjectives.142Asstatedinsection2.2,Europeanlawhas supremacy over national law. The concept of direct effect further explains therelationofsecondary legislationwithnational law.Directeffectmeans that legislationdirectly ‘confers’rightsandobligationsonindividuals.143For instance, individualsmayinvokedirectlyeffectivelegislationbeforethenationalcourt.TheconceptofdirecteffectthusisimportanttovaluethedegreeofembedmentofEuropeanlawintothenationallegalsystem.Regulationshaveageneralapplicationandaredirectlyeffectivebytheirnature.144Forinstance, an individual who did not receive a personal data breach notification caninvokeArticle32PDPR,ifthisproposedRegulationwouldbeadopted.Inthesameway,thePDPRalsoimmediatelyconfersobligationtowardsdataproviderstonotifysecuritybreaches. However, the most frequently used instrument to adopt legislation is theDirective.Directivesarebindingtotheresulttobeachievedandareusedforminimumharmonizationofnationallegislation.145DirectivesimposeobligationsonMemberStatesto changeoradoptnational law inconformitywith the requirements in theDirective.Directives thus are addressed to theMember State anddo not impose obligations onindividuals.146Directivescanhavedirecteffect,butonlyiftheprovisionsintheDirectiveare unconditional and sufficiently precise.147This direct effect is only vertical, in thesense thatan individualcanonly relyonaDirectiveagainst thestate, andbut cannotrely on a Directive against individuals (this is called horizontal direct effect).148Moreover,inverseverticaldirecteffect(theinvocationofaDirectivebythestateagainstan individual) is also prohibited. This means that any security breach notificationobligationsforcompaniesflowingfromthePCDmust, inprinciple,beimplementedbytheMemberStatestoimposeobligationsonthosecompanies.The European legislator has become increasingly active to pursue the goals of thecybersecuritypolicybytheadaptationofasetofrulesrelatingtobothcybercrimeand

140PCD(n4)ExplanatoryMemorandum,section3.2.141Ibid,section3.1.142Graig&deBúrca(n3)103;Case93/71Leonisov.ItalianMinistryofArgiculture[1972]ECR293.143VanGendenLoos(n111);Jans(n112)Chapter3.144Article288TFEU.145Ibid.146ThefactthattheclaimbasedonaDirectiveinaverticalrelationhasnegativeeffectsforathirdpartymakesitnotprohibitedforanindividualtoinvokethisDirectiveagainstthenationalauthority,forthishorizontalsideeffectsee:CasesC‐152/07&C‐154/07Arcor[2008]ECRI‐5959,par.35;Jans(n112)78‐84.147Jans(n112)65;Case41/74VanDuyn[1974]ECR1337.148Case80/86Kolpinghuis[1987]ECR3969.

29

cybersecurity. During the last decade, a numberof Regulations andDirectives in thefieldofE‐commerce,telecommunicationsandcybersecurityhaveemerged.ThissectionmapssomerelevantrulesconcerningtheEuropeancybersecuritypolicy.Severalstudiesalready made extensive overviews of European rules regarding to information andcommunication technology.149First, an example of cybercrime legislation is given.Hereafter,thePDPRandthePCDarediscussed.

2.3.1 ThePDISandtheFDIS

ThePDISisatypicalAFSJDirectivethataimsforminimumharmonizationintheareaofcybercrime,byproposingtoalignandupdatenationalcybercrimerules.Hence,thePDISdoes not concern data protection.150It introduces an enhanced framework for thecriminalizationofcybercrimeandtheimprovementofEuropeancriminalinvestigationcooperation.151ThePDISaddressestheneedtofurthereliminateobstaclestoinvestigateand prosecute cybercriminals in cross–border cases.152The Commission argues thatEuropeanassistance isneededtofightcybercrime,becauseconnectingelementsofanattack are typically situated in different locations and in different Member States.153

Offenders have to be prevented from moving to Member States in which legislationagainst cyber‐attacks ismore lenient bymeans of harmonization of legislation.154Forinstance, theDirectiveaimsto incorporatethecriminalizationofthe latestcybercrimetechnology,suchasbotnets,innationallegalsystems.155Moreover,shareddefinitionsofcybercrime terminology make it possible to exchange information and collect andcomparerelevantdata.The PDIS repeals the Framework Decision on attacks against information systems(hereafter: FDIS) because of the abolishment of this third pillar instrument after the

149ForinstancebyaresearchofDLApipercommissionedbytheEuropeanCommission,see:EuropeanCommission&DLAPiper‘LegalAnalysisofaSingleMarketfortheInformationSociety’(DLAPiper,2009)<http://ec.europa.eu/information_society/newsroom/cf/itemdetail.cfm?item_id=7022>accessed10June2013;EuropeanCommission,‘RegulatoryframeworkforelectroniccommunicationsintheEuropeanUnionSituationinDecember2009’(EuropeanCommission,2009)<http://ec.europa.eu/information_society/policy/ecomm/doc/library/regframeforec_dec2009.pdf>accessed10June2013.150PDIS(n90);Itthereforethusnotconcernsdataprotection.151EstherMeijer,‘Conventiononcybercrime,Dataprotectionininformationsystemsthroughcriminallaw;acomparisonbetweentheEUandtheUS.’(MasterThesis,UtrechtUniversity,2012)29152Ibid.153FrameworkDecision(FD)2005/222/JHAonattacksagainstinformationsystems[2005]OJL69/67,ExplanatoryMemorandumunder3),whichisonlypartlyimplemented,see:EuropeanCommission‘ReportfromtheCommissiontotheCouncilBasedonArticle12oftheCouncilFrameworkDecisionof24February2005onattacksagainstinformationsystems(Communication)COM(2008)448final,ExplanatoryMemorandumunder3).154PDIS(n90)Articles4,5and6.155PDIS(n90)Recital9.

30

TreatyofLisbon.156BoththeFDISandthePDISstronglybuildupontheConventiononCybercrimeof2001,thelandmarkininternationalcybercrimecooperation.157ThePDISrespectsfundamentalrights,mostnotablythoserelatedtopersonaldataandcriminaljustice.Recital16ofthePDISstatestherespectfor“theprotectionofpersonaldata, freedom of expression and information, the right to a fair trial, presumption ofinnocence and the rights of the defence, as well as the principles of legality andproportionalityofcriminaloffencesandpenalties”inparticular.

2.3.2 ThePDPRandthePCD

In January 2012, the EuropeanCommission proposed theData ProtectionRegulation,basedonArticle16TFEU.ThePDPRconcernstheprotectionofthegeneralprocessingof personal data. The European legislature has chosen for the use of a Regulationbecause“ThedirectapplicabilityofaRegulation inaccordancewithArticle288TFEUwill reduce legal fragmentation and provide greater legal certainty by introducing aharmonizedsetofcorerules”.158ARegulationthusmakesiteasiertoquicklyharmonizetheregulationofdataprotection.ThePDPRupdatesthe‘old’Directiveondataprotection.159ThisDirectivewasadoptedinatimewhentheInternetdidnothaveamajorimpactoneconomicandsociallife.160TheRegulationimposedmoreobligationsontheaddresseesofthePDPR,controllersofpersonaldata.AnexampleisthepersonaldatabreachnotificationobligationinArticle31 PDPR. However, they also “benefit from the fact that harmonization will bestrengthened because of the strong harmonizing effect of the Regulation”.161TheCommissionreferstotheassumptionthathomogeneityoflawsintheSingleMarketwillbring economic benefits for companies.162 Moreover, the data subject, the individualwhosedataisprocessed,gainsmoreprotectioninthePDPR.163ThePDPRsetsrightsforprocessing of personal data such as transparent information and communication oftransfer of personal data and the right to receive a notification of a personal datasecuritybreach.164Legal scholars are positive about the fundamental rights protection in the PDPR,becauseofextensivefundamentalrightssafeguardsregardingtheprotectionofpersonaldataandprivacy.165Article1(2)ofthePDPRprovidesthatMemberStatesshallprotectfundamental rights and freedoms of natural persons and in particular their right to

156FDIS(n153).157FrancescoCalderoni,‘Thelegalframeworkforcybercrime:strivingforaneffectiveimplementation’(2010)54(5)Crime,LawandSocialChange339,344;Meijer(n151)29;TheConventiononCybercrimeishoweveronlyratifiedby15ofthe27EUMemberStates.158PDPR(n4)ExplanatoryMemorandum.159CouncilDirective(EC)95/46EContheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata[1995],OJL281.160DeHert(n61)130,131.161Ibid,140.162Seesection2.2.1ofthisresearch.163PDPR(n4)Article4(1).164Ibid,Chapter3.165DeHert(n61)141.

31

privacy with respect of the processing of personal data. In theory, legal scholars areright that the PDPR indeed aims to enhance personal data control. But, there isuncertaintywhetherthePDPRalsocanachievetheseaimsinpractice.Thisquestionwillbeextensivelyreviewedintheupcomingchapters.One year after the PDPR, in mid‐February 2013, the Commission proposed theCybersecurity Directive.166The PDPR primarily focuses on the safeguarding of thefundamentalrightofpersonaldataprotection.ThePCDfocusesonensuringahighlevelof network and information security across the Union. Themain reason to adopt theDirective was the “insufficient level of protection against network and informationsecurityincidents,risksandthreatsacrosstheEUunderminingtheproperfunctioningof the Internal market”.167The Directive contains obligations for Member Statesconcerningincidentresponsemechanismsandrequirementsforcompaniestoimprovesecurity.Contrary to theuniformityof thePDPR, thePCDaims toharmonizenationalinitiativesoncybersecurity.ItisuptotheMemberStatestofilltheserequirements,theDirective states that companies must take “appropriate technical and organisationalmeasures”toestablishsecurity.Inthesecondchapter,theDirectiveprescribesthattheMember States should define a national cybersecurity framework with concretemeasures to improve Internet security. EachMember State shall establish competentauthorities as a central organ to improve security.168The third chapter concernsstructuredand fosteredcooperationbetweenthesecompetentauthoritiesbyamongstothers the organization of security exercises. The fourth chapter aims securityrequirementsandalossofintegritysecuritybreachnotificationobligation.Article14(2)PCD regulates thatMember States should implement an SBNL focusing on the lossofintegrity.ThePDPRandthePCDbothconcernSBNLs.ThePDPRdirectlyadoptsanSBNLrelatedto data protection and the PCD harmonizes national SBNLs focusing on the loss ofintegrity.AdetailedanalysisofthemainaspectsofSBNLswillbeprovidedinthenextchapter,whichalsodrawsattentiontotherelationshipbetweenthePDPRandthePCD.

2.4 Conclusions–aEuropeancybersecurityapproach?

Policy makers and academic researchers often distinguish cybercrime fromcybersecurity.Theaimofcybercrimepolicyisdetectingandprosecutingcybercriminals.Cybersecurity concerns the enhancement of digital resilience. The European Unionpolicy framework gradually developed from the beginning of themillenniumandhasbecome very extensive. The European cybersecurity policy focuses on fosteringcooperation and sharing of best practices, the improvement of security in products,networks and services, the enhancement of incident response capability, and theimprovement of R&D investments in cybersecurity. There are multiple platformsresponsibleforthecoordinationofthosepolicies.ThecybersecuritythinktankENISAis

166PCD(n4)167ImpactassessmentPCD(n8),section4.1.168PCD(n4)Article6(1);TheDutchNCSCcanberegardedsuchacompetentauthority.

32

the Union’s main body of expertise, and, perhaps, the most important platform fordevelopingstrategiesconcerningcybersecuritywithinEurope.TheEuropeanSingleMarketrequiresanincreasingprotectionofcybersecurityandthusisadriverfortheadoptionoflegislation.CybercrimeisregulatedinthecontextoftheAreaofFreedom,Securityand Justice,but thepowersof theEuropean legislaturearelimitedtotheestablishmentofminimumrulesandcooperation.TheEuropeanCharterofFundamentalrightssafeguardsthenon‐economicvaluesassociatedwiththeInternet,such as the freedom of speech and the protection of personal data. The latter is alsoregulatedinthecontextoftheSingleMarket.The Commission argues that the European Union has a leadership role in enhancingcybersecurity.TheCommissionmentionsthecrossborderaspectoftheInternetandthenecessityoftheInternetforthedigitalSingleMarket.Harmonizationwill,accordingtotheCommission,constitutea levelplaying field forcompaniesoperatingon thedigitalSingleMarket. Cybersecurity and cybercrime legislation, such as the PDIS and the E‐privacyDirectiveareadoptedinthecontextoftheEuropeanUnion.Thisdemonstratesthe acceptance of the European approach in cybersecurity. A broad range ofcybersecurityinitiativesinEuropeansoftlawshowsthattheEuropeanUnionbecomesincreasinglyactiveinthefieldofcybersecurity.

33

3 Securitybreachnotificationlaws

In the previous chapter, the European policy and legal framework relating tocybersecurity has been introduced. On aspect of the European CybersecurityFramework is the security breach notification obligation. This chapter assesses theorigins, proportionality and design parameters of SBNLs. Section 3.1 introduces theoriginsofSBNLsintheUnitedStates.ThedevelopmentoftheEuropeanUnionSBNLwillbe discussed along two lines, the personal data SBNL in Article 31 PDPR and thesimultaneously proposed loss of integrity SBNL in the Article 14 PCD. The DutchinitiativeforanSBNLisanexampleofapossibleimplementationofArticle14.Insection3.2theproportionalityrequirementsoftheEuropeanCourtofJusticewillbeassessedinthe light of Article 31 PDPR and Article 14 PCD. In section 3.3, the similarities andconflicting differences between the European initiatives are analyzed and grouped indesign parameters. Design parameters are aspects of functional characteristics of thelaw.Thedesignparametersareinputforliteraturereview,thequantitativeanalysisonAmericanSBNLsandqualitativeanalysiswithDutchexpertsinpartβ.

3.1 Origins

3.1.1 IntheUnitedStates

Alreadyatthebeginningofthiscentury,theUnitedStatesstartedtoadoptSBNLsthatconcernbreachesofpersonaldata.Californiawasthefirststatetoadopt legislationin2002andotherstatesquicklyfollowed.ThecompanyChoicepoint,whichexperiencedamajor securitybreachaffecting145000people,was the first company todisclose thisaccording to security breach legislation.169In 2012, forty‐six states had adopted anSBNL.170An example of anAmerican SBNL can be found in theTexasBusiness and commercecode,§521.03:

“A person who conducts business in this state and owns or licensescomputerized data that includes sensitive personal information shalldisclose any breach of system security, after discovering or receivingnotification of the breach, to any individual whose sensitive personalinformationwas,or is reasonablybelieved tohavebeen,acquiredbyanunauthorizedperson.”

Inthecontextofthisthesis,theseRegulationsarenotimportantbecauseoftheirlegalforce, but rather because their (first order) effects can be studied empirically.

169‘OverviewSecurityBreaches’(NCSL,2013)<http://www.ncsl.org/issues‐research/telecom/overview‐security‐breaches.aspx>accessed2February2013.170Ibid.

34

Researchers suggest that, after theadoptionofSBNLs, an increase innotified securitybreachincidentscanbeobservedcausedbythenotificationobligations.171PartβbywillperformananalysisonthefirstordereffectofSBNLs.There are differences between American SBNLs. Sanctions is sometimes called‘vigorous’.172Forinstance,inVirginiathepenaltyfornotcomplyingwiththeRegulationcanbe150000dollar.Ontheotherhand,somelawsseemtobemorelenient.ApenaltyinWashingtoncanonlybeimposedinanindirectwaythroughacivilliabilityactionforthe damage caused by failure to comply with the statute.173Most laws focus oninforming consumers, but some also require notifying an official supervisinginstitution.174Addressees are companies and governments that lost data of theircustomers.Insomecases,encrypteddataisincludedinthescopeofthelaw.Thisvarietyin the design of an SBNL has resulted in initiatives to pass a federal security breachnotification law.175TheUnited States aims to integrate separate SBNLs, because thereare coordinationproblemsand legaluncertainty concerning theseparateU.S. lawsonstate level. The applicability of an SBNL is based on the residency of the consumerwhose personal data is breached. There are many companies with a nationwidecustomer base. Often, a security breach has to be notified according to multiplejurisdictions to multiple supervising authorities which causes legal uncertainty andadministrativeburdens.TheAmerican laws focuson theprotectionofpersonaldata and imposesanctionsonnon‐compliance.Hence,theAmericanlawshavemoresimilaritieswiththePDPR,whichalso includesapersonaldatabreachcriterionandcanimposesanctions.ThePCDandtheDutchlegislativeinitiativefocusonlossofintegrityanddonotimposesanctions.

3.1.2 EU:Article31PDPR

AgeneralsecuritybreachnotificationrequirementcanbefoundinArticle31PDPR.TheaimofthePDPRis“toensurethatindividualsareincontroloftheirpersonaldataandtrust the digital environment”176in order to “to increase the effectiveness of thefundamentalrighttodataprotection”.177

171JanMuntermanandHeikoRoßnagel,‘OntheEffectivenessofPrivacyBreachDisclosureLegislationinEurope:EmpiricalEvidencefromtheUSStockMarket’(2009)5838LectureNotesinComputerScience1,2.172MarneGordan,‘Whenshouldcompaniesgopublicfollowingasecuritybreach?’(2006)9ComputerFraudandSecurity17.173WashingtonS.B.6043Wa.Rev.Code,tit.19,§255.010.(seesection5.2.2and5.2.4ofthisresearchforaquantitativeclassification)174JenniferR.‘AnAnalysisofDataBreachNotificationsasNegativeNews’(2012)75(2)BusinessCommunicationQuarterly192,193;SeeforexampletheIdahoStatutes§§28‐51‐104to28‐51‐107.ThesupervisingauthorityisinthiscasetheAttorneyGeneral.Seesection5.2.6ofthisresearch.175DLAPiper(n149)45.176ImpactAssessmentPDPR(n6),section5.3.1.177Ibid.

35

Whatwas the reason for the European Union to adopt a security breach notificationobligation?Directive 95/46/EC and Directive 2002/58/EC impose the obligation for datacontrollerstoensurethesecurityofprocessingofpersonaldata.However,enforcementoftheseobligationsiscomplicated,asthiswouldrequireaninternalassessmentofthesecurity systems of every data controller. The Commission believes that “inadequatesecuritymeasures are only discovered in caseswhere breachesof security occur andcometotheknowledgeoftheauthoritiesofthepublic.”178TheCommissionassumesthata personal data breach notification obligation results in this adequate information.Moreover,theSBNLshouldresultinfasterriskmitigationforconsumers.Recital67ofthePDPRstatesthat:“Apersonaldatabreachmay,ifnotaddressedinanadequateandtimelymanner, result in substantial economic loss and socialharm, including identityfraud,totheindividualconcerned.”ThepersonaldataSBNLhasbeenrequiredinthetelecommunicationsectorsince2009.Directive2009/136/EC,knownas theE‐PrivacyDirective, introducedapersonaldataSBNLforthetelecommunicationproviders:179

“Inthecaseofapersonaldatabreach, theproviderofpubliclyavailableelectronic communications services shall,withoutunduedelay,notify thepersonal data breach to the competent national authority. When thepersonal data breach is likely to adversely affect the personal data orprivacy of a subscriber or individual, the provider shall also notify thesubscriberorindividualofthebreachwithoutunduedelay.”

Therewasaneedforagenerallegislation,becauseoftheriskthat“databreachesalsoexistinothersectors”.180TheCybersecuritythink‐tankENISAalsoadvisedtoextendtheE‐Privacy Directive to have general application. ENISA pointed out the advantage ofextensivedatacollectionaboutsecuritybreacheventsbecausedata“collectedbypartiessuch as security vendors or law enforcement agencies that have a vested interest inunder‐orover‐reporting.”181ThisresultedinArticle31PDPR:

“Inthecaseofapersonaldatabreach, thecontrollershallwithoutunduedelay and, where feasible, not later than 24 hours after having becomeawareof it,notify thepersonaldatabreach to thesupervisoryauthority.The notification to the supervisory authority shall be accompanied by areasonedjustificationincaseswhereitisnotmadewithin24hours.”

178Ibid,section14.1.4.179Article4(2)ofDirective2009/136/ECoftheEuropeanParliamentandoftheCouncilof25November2009amendingDirective2002/22/EConuniversalserviceandusers’rightsrelatingtoelectroniccommunicationsnetworksandservices.OJL337/11.180ImpactAssessmentPDPR(n6),section3.4.1.181Anderson(n48).

36

Article32requiresdatacontrollerstonotifyaffectedindividualsaswell:

“Whenthepersonaldatabreachislikelytoadverselyaffecttheprotectionofthepersonaldataorprivacyofthedatasubject,thecontrollershall,afterthe notification referred to in Article 31, communicate the personal databreachtothedatasubjectwithoutunduedelay.”

As said, the Regulation builds on the Data Protection Directive of 1995 (Directive95/46/EC), which did not contain a security breach notification requirement. ThewordingofsecuritybreachnotificationrequirementinthePDPRisbasedonArticle4(2)oftheE‐PrivacyDirectiveof2009regardingtelecommunicationproviders.182

3.1.3 EU:Article14PCD

A SBNL focusing on loss of integrity can be found in Article 14 PCD. The Directiveinitiatesandharmonizesinitiatives fortheMemberStates,suchastheDutchinitiativeon a loss of integrity SBNL.183The aim of the SBNL is “to create a culture of riskmanagement and improve the sharing of information between the private and publicsectors”.184TheCommissionalsomentionsafirstorderaimoftheSBNL:toensurethatNIS(Network&InformationSecurity)breacheswithasignificantimpactarereportedtothe national competent authorities.185The PCD is proposed from a (cyber)securityperspective.ThehistoricalhesitanceofMemberStatestowardsEuropeanUnionactionsconcerningnational(cyber)securityexplainstheuseofthelesssevereinstrumentoftheDirectiveinthePCD.186TheoriginsofthegenerallossofintegritySBNLcanbefoundinDirective2009/140/EC.ThisDirectiveamendsthecommonregulatoryframeworkforelectroniccommunicationnetworks.187TheDirectiveapplies,forinstance,tomobiletelephoneoperatorsandthusnottoeverycompanymaintainingdataofcitizens.188Article13acontainsanSBNLfortelecommunicationproviders:

Member States shall ensure that undertakings providing publiccommunications networks or publicly available electronic

182Seealso:deHert(n61).183ImpactassessmentPCD(n8),section4.1.1.184Ibid,section5.4.3.185Ibid,annex13.186ThePDPRhasbeenapproachedfromapersonaldataprotectionperspective,aEuropeanpolicyareawhere(total)harmonizationhasmorepoliticalendorsement.187CouncilDirective(EC)2009/140amendingDirectives2002/21/EConacommonregulatoryframeworkforelectroniccommunicationsnetworksandservices,2002/19/EConaccessto,andinterconnectionof,electroniccommunicationsnetworksandassociatedfacilities,and2002/20/EContheauthorisationofelectroniccommunicationsnetworksandservices[2009]OJL337/37.188TheDirectivehadtobetransposedtonationallegislationbytheEUMemberStatesinMay2011andistransposedintheNetherlands.TheDutchBreachnotificationobligationislaiddowninArticle11.3aTelecommunicatiewet(Telecommunicationlaw).

37

communications services notify the competent national regulatoryauthority of abreachof securityor lossof integrity that has had asignificantimpactontheoperationofnetworksorservices.

Article14(1)PCDstatesthatMemberStatesshallimplementagenerallossofintegritySBNL.

MemberStates shall ensure thatpublicadministrationsandmarketoperators notify to the competent authority incidents having asignificantimpactonthesecurityofthecoreservicestheyprovide.

ItisnotablethatthelossofintegritySBNLonlyincludessignificantsecuritybreaches.Itis however unspecified what is meant by significant. Article 15(5) provides aninstruction for close cooperation of these competent authorities with the authoritiesresponsible for the execution personal data protection.This especially applieswhen alossofintegrityalso includesapersonaldatabreachasisexplainedintheexplanatorymemorandum.189ThedraftersoftheDirectivethussawoverlapbetweenthetwotypesofsecuritybreachesandthereforeurgetheMemberStatesto“implementtheobligationtonotifysecurityincidentsinawaythatminimizestheadministrativeburdenincasethesecurityincidentisalsoapersonaldatabreach”.ADutchLowerhouseletterof2012containedthedesiretodesignageneralDutchSBNLas a response to amajor security breach atDutch governmental institutions in 2011,knownastheDiginotaraffair.190ThisinitiativefitstheassignmentthatthePCDgivestoadoptnationallossofintegritySBNLs.Oneofthestartingpointsofthelegislationisthatit should be in linewith the European legislation (i.e. the PCD). The SBNL should bedevelopedincooperationwithpublicandprivatepartnersanditistheresponsibilityofthoseprivatepartnerstocooperatewiththegovernment.191The central organ to process the loss of integrity SBNL is the Dutch National CyberSecurityCentre(NCSC)thathasbeenoperatingsince1January2012.ThecoretasksoftheNCSCare tobuildandshareknowledge,enhance incidentresponsecapabilityandstrengthencrisismanagement.192

189PCD(n4)ExplanatoryMemorandum,section1.3.190‘HetDiginotarincident,Waaromdigitaleveiligheiddebestuurstafelteweinigbereikt’(Onderzoeksraadvoordeveiligheid,2012).<http://www.onderzoeksraad.nl/index.php/onderzoeken/onderzoek‐diginotar/>Accessed6January2012;‘MeldplichtSecurityBreaches’KamerstukkenII2012/7,26643,nr.247,1(lettertotheDutchLowerhouse).191IvoW.Opstelten‘BriefMeldplichteninterventiemogelijkheden(MinistryofSafetyandJustice,6July2012),2‐3<http://www.nctv.nl/Images/brief‐cyber‐meldplicht‐en‐interventie_tcm126‐443885.pdf>accessed11June2013.192<www.ncsc.nl>.

38

3.1.4 Summary

ThePDPRshallhavedirecteffectanddirectapplicability in theNetherlands.ThePCDinitiatesandharmonizesnationalinitiativessuchastheDutch.TheproposedlegislationoriginatesfromthetelecommunicationDirectivesin2009.

3.1.5 Subsidiarity–Article31PDPR&Article14PCD

TheCommissionarguesthatthereisaneedfortheremovalofobstaclesanddifferencesbetween cybersecurity legislation ofMember States individually, becauseof the crossborderaspectoftheInternetandtheSingleMarket.TheEuropeanlegislatureusedtheinstrument of the Regulation in the DPR “in order to avoid diverging Member Staterules,theUnionhastoprovideforaharmonizedsystemofbreachnotificationsacrosstheEU.”ThePCDalsostates thenecessityofEuropean actions: “ThestatedobjectivescanbebetterachievedatEUlevel,ratherthanbytheMemberStatesalone, inviewofthecross‐borderaspectsofNISincidentsandrisks”193The debate about SBNLs in America supports the argument of the Commission theremoval of distortions in the Single Market is necessary in the European Union. TheUnited States plans to unify state level SBNLs because the obligation to complywithmultiple SBNLs simultaneously caused significant administrative burdens forcompanies.

3.2 Proportionality–Article31PDPR&Article14PCD

TheaimsofanSBNLareintheinterestofbothconsumersandbusiness,butparadoxallyalsopotentiallyinfringesthefreedomtoconductbusiness.Ontheonehand,thereisan

193PCD(n4),recital40.

Dir2009/136/EC (Telecommunicationsonly)

Dir2009/140/EC (Telecommunicationsonly)

PDPR

PCD

Lossofintegrity

Personaldata

2009 2012 2013

ProposedDutchinitiative

Figure4:EuropeanandDutchSBNLs

39

interestof citizenswhohave the rightofpersonaldataprotection (Article16TFEU&Article6Charter).Moreover,bothconsumersandbusinesshaveaninterestinasecureInternet. On the other hand, there is the freedom of companies to conduct business(Article 16 Charter and in general, the SingleMarket).194A notification obligation canharm a company’s legitimate interest of professional and business secrecy.195Apartfromthat,aneffectiveSBNLcanresultlargecorporatecompliancecosts.196How then should those conflicting interests be balanced?Article 52(1) of the Chartergivesadirectiononmakinglimitationstofundamentalrights,includingthefundamentalright of data protection (Article 8 of the Charter) and the fundamental right of thefreedomtoconductbusiness(Article16oftheCharter):

“anylimitationontheexerciseoftherightsandfreedomsrecognisedbythisChartermustbeprovidedforbylawandrespecttheessenceofthoserightsand freedoms.Subject to theprincipleofproportionality, limitationsmaybe made only if they are necessary and genuinely meet objectives ofgeneral interest recognisedby theUnionor theneed toprotect the rightsandfreedomsofothers.”

The Court has assessed limitations on data protection in the VolkerSchecke case. InScarletExtended, both data protection and the freedom to conduct businesses wereanalyzed.BothcasesareimportantfortheboundariesthatfundamentalrightssketchinEuropean law related legislation. But, the cases have a different context. The VolkerScheckecaseconcernedthevalidityofaEuropeanRegulation.TheScarletExtendedcaseconcerned the validity of an injunction by a national court based on a EuropeanDirective.First, the main aspects of these cases will be discussed. Proportionality is the keyprincipletobalanceinterests.Therefore,theCourt’sapproachinbalancingfundamentalrightswillbeanalyzedinthe lightofArticle31PDPRandArticle14PCDaccordingtotheprincipleofproportionality.

3.2.1 VolkerSchecke:limitationsondataprotection

InVolkerSchecke,theCourtassessedwhetheraEuropeanRegulationwasinconformitywith the fundamental right on data protection. The VolkerSchecke case dealt with aEuropeanRegulationon the publication of agricultural subsidies.ThisRegulation hadtheaim toachieve transparencyabout theallocationof those subsidies,bypublishing

194InassessingSBNLinitiative,thereisthussimplecontrastbetweenSingleMarketobjectivesandobjectivesoftheCharter,becausebothinterestshavealegalbasisinthosetwodocuments.195ForinstanceArticle41(2)Charter.196MarkBurdon,BillLane,PaulvonNessen‘DataBreachNotificationLawintheEUandAustralia,Wheretonow?’(2012)28(3)ComputerLawandSecurityReview296;ThesocietaleffectsofSBNLsareextensivelydiscussedinpartβ.

40

them online.197The publication allegedly infringed the protection of personal data, asinformationofnaturalpersonswasmadepublicinthiscase.198The Court first assessed the legality of the limitation: the fundamental rightmust belimitedbyaRegulationthatisprovidedbylaw.199Hereafter,theCourtassessedwhetherthe Regulation pursues an objective of general interests of the European Union. TheAdvocate General of Volker Schecke, states that these objectives needs to be veryspecific.200According to the Advocate General, the Court has to balance this specificobjectiveoftheRegulationwiththeinfringedfundamentalright(s).Thisisdonebytheprincipleofproportionality.Theprincipleofproportionalityplaysakeyroleinbalancingtheopposingintereststhatmight flow from the presence of the Charter. Judicial reasoning is in most casesstructuredbyaproportionalitytest.201Torecall:theproportionalitytestcontainstwoorthreeelementsdependingoncase‐lawandlegaldoctrine.Thefirsttwoareundisputed.First,theremustbeacausalconnectionbetweenthemeasureandtheaimpursued:themeasure must be effective.202Second, there must be no less restrictive alternativeavailable: the measure must be necessary. The last element, called proportionalitystrictu sensu, concerns “a relationship of proportionality between the obstacle intro‐duced,ontheonehand,and,ontheotherhand, theobjectivepursuedtherebyanditsactual attainment”.203In theVolkerSchecke case, theCourtdecided tokeep the test ofproportionalityintheformofatwo‐stagetestofandappropriatenessandnecessity:

“It issettledcase‐law that theprincipleofproportionality,which isone of the general principles of EuropeanUnion law, requires thatmeasures implemented by acts of the European Union areappropriateforattainingtheobjectivepursuedanddonotgobeyondwhatisnecessarytoachieveit.”204

The Court decided that the interests were not properly balanced and that lessinterferingmeasureswerenottakenintoaccount.TheRegulationthusfailedtopassthesecondelementoftheproportionalitytest.

197Article44aofCouncilRegulation(EC)1290/2005onthefinancingofthecommonagriculturalpolicy[2005]OJL209/1asamendedbyCouncilRegulation(EC)1437/2007[2007]OJL322/1.198VolkerSchecke(n1),para28.199MichalBobek‚‘JoinedCasesC‐92/09andC‐93/09,VolkerundMarkusScheckeGbRandHartmutEifert,JudgementoftheCourtofJustice(GrandChamber)of9November2010N.Y.R.(Annotation)’(2011)48(6)CommonMarketLawReview2005.200VolkerSchecke(n1),OpinionofAGEleanorV.E.Sharpston,para105.Ibid,2009;TheAdvocateGeneralprovidesindependentandimpartialopinionsconcerningthecasesoftheCourt.201Bobek(n199)2020.202Inlegaldoctrine,thiscausalrelationismostlycalledappropriate(VolkerSchecke(n1),para74)orsuitable.However,themoremultidisciplinaryterm‘effective’isusedinthisthesisbecausethisallowsforusingthesameterminologyinpartαandpartβ.203DeVries(n131)224.204The“classic”fulltestalsoinvolvesproportionalitystrictusensu,whichwasnot(explicitly)applied:see:VolkerSchecke(n1)para74.

41

TheCourtdecided inVolkerScheckethat the institutionsdidnotproperlybalance theright of privacywith the objectives of theRegulation.205National Courts interpret thereasoningoftheCourtof Justice inVolkerScheckeasanemphasison“thenecessitytoestablish themost rigorous safeguardsandmeasures for theprotectionof individualswhen it comes to processing of their personal data”206The Volker Schecke case isimportant for theprotectionofpersonaldata.Thecase favored theprotectionofdataagainst the principle of transparency. National courts interpret the case as a broadLuxembourgianurge forsafeguardingprivacyanddataprotection.207VolkerSchecke isin a general sense important inbalancing theobjectivesofEuropeanRegulations andfundamentalrightsbymeansoftheproportionalityprinciple.ItstimulatestheEuropeanlegislatortospecifyaimsofRegulationsandcarryoutaproportionalitytestupfront.

3.2.2 ScarletExtended:limitationsonthefreedomtoconductbusiness

TheScarletExtendedcaseisrelevantbecausetheCourtperformsaproportionalitytestand for the first time explicitly stresses the protection of the freedom to conductbusinessinArticle16oftheCharter.TheCourtperformedabalancingtestbetweentheprotection of a fundamental right to property of the intellectual property managerSABAM and the freedom to conduct business the Internet Service Provider (ISP)Scarlet.208SABAM,acompanywhichrepresentscopyrightholderssuchasmusiciansandeditorsofmusicalworksbyauthorizingtheirwork,claimedthatthecopyrightsoftheirrepresentativeshadbeeninfringedbyInternetusersusingScarlet’sservices.209Internetusersdownloadedmusicwithoutauthorizationandpayingroyaltiesbymeansofpeer‐to‐peer networks.210This alleged copyright infringement was acknowledged by theBelgiancourt.Asaconsequence,Scarletwasrequiredtoinstallafilteringsystemforthepreventive monitoring of the data relating to its customers in order to prevent anyfuture infringement of intellectual property rights.211The Belgian court based thisinjunction on a discretionary power in a European Directive on the enforcement ofintellectualpropertyrights.212Scarletappealedagainst thisdecision,by stating that theeffectivenessof this filteringsystemcouldnotbeproved,forinstancebecausepeer‐to‐peernetworkshaddevelopedatthetimeandmadeitimpossibleforthirdpartiestochecktheircontent.Moreover,itwould impose unnecessary practical complications, and it would infringe upon theprotectionofpersonaldatabecausethefilteringinvolvedtheprocessingofIPaddresses,whicharepersonaldata.213

205VolkerSchecke(n1)para86.206Bobek(n166)2022.207Ibid.208ScarletExtended(n12),para46.209Ibid,paras17,20.210Ibid,para17.211Ibid,para21.212Ibid,para30;Article11ofCouncilDirective(EC)2004/48ontheenforcementofintellectualpropertyrights[2005]OJL195/16.213Ibid,paras24‐26.

42

TheBelgianCourtofAppealthusreferredquestionstotheCourt,amongstothersaskingfortheproportionalityofthefilteringsystem.TheCourtacknowledgedthatintellectualpropertyrightsareenshrinedinArticle17(2)oftheCharter,butconfirmedearliercase‐lawthatthisrightmustbebalancedagainstotherfundamentalrights.Inthiscase,thisfundamentalrighthadtobalancedwiththefreedomtoconductbusiness.214TheCourtruled that the freedom to conduct business had been infringed, because the filteringsystemwas costly, complicated andpermanent.215The Court concludes that thereforenot a fair balance had been struck between intellectual property protection and thefreedom to conduct business and therefore required filtering system should beprecluded. The Courts core argument is thus the disproportional infringement of thefreedom to conduct a business. However, the decision is strengthened by otherarguments.First,thefilteringsystemwouldalsoinfringetheprotectionofpersonaldataof the customersof Scarlet, because IP addressesneed tobe identified.216Second, thefreedomtoperceiveimpartialinformationisalsoinfringed,becausethefilteringsystemmight block lawful communications.217It is notable that the Advocate General Cruz‐Villalon has a strong dissenting opinion. The Advocate General did not mention thefreedomtoconductbusinessatalland instead focusedextensivelyondataprotectionandtheconfidentialityofcommunications.218Thelattercouldalsobeinfringed,nexttothe freedom to conduct business. In short, therefore the Advocate General alsoconcluded that the injunction needed to be precluded.219This indicates thenovelty ofthe introductionof infringementof the freedomofbusinessby theCourt as themainreasontoexcludethefilteringsystem.VolkerScheckeconcernedaEuropeanRegulationandScarletExtendedanobligationofthenationalcourtbasedonadiscretionarypowerinaDirectiveasaresultofadisputebetween two private parties. Hence, the cases have a different context. The VolkerSchecke andScarletExtendedare both importantfor the boundaries that fundamentalrights givewhenadopting legislation in a European law context. The cases stress theimportance of the protection of personal data. The Court showed in ScarletExtendedthatthefreedomtoconductbusinessisanimportantfundamentalrightaswell.Thesefundamentalrightsarenotabsolute.However,theinfringementsmustbeproportional;effectiveandnecessary.Oncase‐by‐casebasis,itshouldbetestedwhethertheEuropeaninstitutions indeedperformthisbalancing testproperly.Withregard to thisbalancingtest,AdvocateGeneralSharpstonand legalscholarBobekmentioned the specificityofthe aims that the law pursues as a prerequisite for analyzing proportionality. Thespecificity of the aims is assessed in the upcoming section and compared with theempiricallymeasuredeffectinsection8.3ofthisresearch.Although the cases have different starting points, they are both relevant for theproportionality test regarding Article 31 PDPR and Article 14 PCD. SBNLs have to

214Ibid,paras44‐46;C‐275/06Promusicae[2006]ECRI‐271,paras62‐68.215ScarletExtended(n12),para48.216Ibid,para51.217Ibid,para52.218Ibid,OpinionofAdvocateGeneralPCruzVillalon,paras71‐73.219Ibid,OpinionofAdvocateGeneralPCruzVillalon,para115.

43

respect fundamental rights, in particular data protection and the freedom to conductbusiness, because they aim to enhance Internet security, but impose obligations oncompanies.220The first element of the proportionality test, effectiveness, will bediscussedfirst.Second,thenecessitywillbediscussedinthecontextoftheSBNLs.

3.2.3 Proportionality–Effectiveness

Thefirstelementoftheproportionalitytestconcernseffectiveness.Thisisthecausalitybetween the measure and the aims pursued. The effectiveness test gets limitedattention by legal scholars. However, the insufficient substantiation of the aims oflegislationandexpectedcausalityregardingSBNLscausesproblems.ThePDPRandthePCDbothmentiontheaimsthatthelegislationshouldattain.ThefirstorderaimoftheSBNListogeneratesecuritybreachnotifications.221ThesecondorderaimofthePDPRis“toensurethatindividualsareincontroloftheirpersonaldataandtrust the digital environment”222in order to “to increase the effectiveness of thefundamentalrighttodataprotection”.223ThesecondorderaimoftheSBNLinthePCDis: “to create a culture of risk management and improve the sharing of informationbetweentheprivateandpublicsectors.”224Theseaimsarenotoperationalized,theycannotbemeasuredanditisambiguouswhenexactlytheyareattained.225Thefuzzyaimsmakeithardtoperformarealeffectivenesstest. Article 31 PDPR aims to ensure personal data control and trust in the digitalenvironment.Howshouldbemeasuredwhetheranobligationtonotifyabreachresultsintrustinthedigitalenvironment?Andhowcanpersonaldatacontrolbe‘ensured’?ThePCD has the aim to create a culture of risk management and to foster cooperationbetweencompaniesandthegovernment.Achievingacultureofriskmanagementisnotaveryspecificobjective.226Thisconflictswith theopinionofAdvocateGeneralSharpston inVolkerScheckeabouttheneedforspecificaims.227Besides,theCommissiondoesnotsubstantiateinwhatwaytheproposedSBNLswillachievetheaimspursued.TheCommissionstatesthatbecauseofthenatureandscaleoftheproblems,theEuropeanactionswillbemoreeffective,butdonotspecifyhowtheywillbeeffective.

220Thelawsmentionfundamentalrightsintheirexplanatorymemorandum,seesection2.3ofthisresearch.221LiterallymentionedinImpactassessmentPCD(n8),annex12.222ImpactassessmentPDPR(n6),section5.3.2.223Ibid.224ImpactassessmentPCD(n8)section5.4.3.225Operationalizationistheprocessofredefininganambiguousconcepttomakeitmeasurableinordertoperformempiricalobservations.226Theunspecificobjectiveassuchcanalsocauseaproblem,seeVolkerSchecke(n1)OpinionofAGEleanorV.E.Sharpston,para105.227VolkerSchecke(n1)OpinionofAGEleanorV.E.Sharpston,para105.

44

Concluding,theCommissiondidnotspecifyinwhatwaytheSBNLwillachievetheaimspursued.Besides,theaimsarenotveryspecificandnotclearlyoperationalized,whichmakesithardtomeasurecausality.

3.2.4 Proportionality–Necessity

ThenotificationobligationforcompaniesofanSBNLhassimilaritieswiththeobligationfor Internet Service Providers in Scarlet Extended to install a filtering system. Bothimpose administrative burdens on companies. In the case of a notification obligation,companies also have to disclose businesses secrets and incur reputation damage.228Theseeffectsmightalsolimitthefreedomtoconductbusiness.Asalreadymentioned,thelimitationonthefreedomtoconductbusinessisproportional,ifitdoesnotimposeunnecessaryburdensoncompanies.TheCommissiononlylimitedlyassessedtheadministrativeburdensforcompaniesinitsimpactassessment,becauseonlythecostsofmakinganotificationareincludedinthecost estimation. The Commission expects that the cost per loss of integrity breachnotification will be 125 euro. The figure of this cost is based on 4 hour work by anemployee.Furthermore, theCommissionestimatesthat1700breacheswillbenotifiedperyear.Therefore,thetotalcostsfornotifyingbreachesperyearareestimated212500euro.229Moreover, theCommissionalso expects coordination costsbecauseof overlapbetween loss of integrity and personal data breach notification obligations.230TheCommission estimates in the PDPR that the cost of a notification is 20000 euro andexpects4000databreachnotifications tooccur.Thesecostsarebasedonstakeholderfeedback anddesk research, but are not specified further.231It is noteworthy that theestimationsofthecostvaryfrom125eurointhePCDto20000eurointhePDPR.ThiscouldbecausedbythefactthatthePDPRrequiresnotifyingindividualsaffectedaswell.Finally,theCommissionstatesthatthePCDisnotdisproportionatebecauseitimposeslimited costs on its addressees, because “any of these entities as data controllers arealready required by the current data protection rules to secure the protection ofpersonal data.”232However, contrary to this statement of the Commission, the breachnotificationisanadditionalrequirement,whichcanalso imposemoreextensivecosts,suchasreputationdamageandthedoublenotificationofoverlappingsecuritybreaches.Concluding, the Commission undervalues the administrative burden on companies,whichquestionsthenecessityofthecurrentSBNLapproach.

3.3 Maindesignparameters

ThemainfunctionalcharacteristicsofArticle31PDPRandArticle14PCDaremappedinthis section. The four design parameters are: the addressees of the legislation, thesanctioningmechanism, the scope of the breach and the notification authority. These

228Chapter5willextensivelydiscusspositiveandnegativeeffectsofSBNLs.229ImpactassessmentPCD(n8)section8.2.1.230Ibid,annex3.231ImpactassessmentPDPR(n6)annex9.232PCD(n4)ExplanatoryMemorandum,section3.2.

45

designparametersareusedasinputforthequantitativeanalysisonthefirstordereffectofSBNLsinchapter5and6.

3.3.1 Addressees

Addressees are the companies or personal who are addressed by the legislation.AddresseesofthePDPRareallcompanies“processingpersonaldatawhollyorpartlybyautomatedmeans, and to the processing other than by automatedmeans of personaldatawhichformpartofafilingsystemorareintendedtoformpartofafilingsystem”(Article2(1)PDPR).ProcessingisalsointerpretedverybroadlyasstatedinArticle4(3)PDPR:“processingmeansanyoperationorsetofoperationswhich isperformeduponpersonal data or sets of personal data, whether or not by automatedmeans, such ascollection, recording, organization, structuring, storage, adaptation or alteration,retrieval, consultation, use, disclosure by transmission, dissemination or otherwisemakingavailable,alignmentorcombination,erasureordestruction”.The PCD applies to all market operators. The Dutch SBNL only applies to a limitedamount of critical infrastructures. Currently electricity & gas, drinking water, watermanagement and water weirs, telecommunications, the main ports Rotterdam andSchiphol, financial trafficandpayment traffic. It ishowever imaginable that the scopewillbeextendedtoothersectors, forinstancebecauseoftheeventualadoptionofthePCD.233

3.3.2 Sanctioning&enforcement

ThePDPR imposes a strict sanction fornon‐compliance. Penalties canbe imposed forthefailuretocomplywithtwotypesofobligations.First,thesanctionfornotcomplyingwithdocumentationstandards(Article31(4)PDPR)ofanotificationcanamountupto500.000 euros or 1% of a company’s world‐wide turnover (Article 79(5)(f) PDPR).Second,thesanctionfornotnotifyingapersonaldatabreachcanamountupto1millioneurosor2%ofacompany’sturnover(Article79(6)(h)PDPR).ThePCDdoesnot requireMemberStates to imposesanctiononnon‐compliance.TheDutchinitiativedoesnotcontainasanctioningregime.Theyseemtobebasedontrust,although “competent authoritieswouldbe given thepossibility to investigate casesofnon‐compliance”.234

3.3.3 Scope

ThePDPRmentionsthescopeofthebreachinRecital8:“personaldatabreach'meansabreach of security leading to the accidental or unlawful destruction, loss, alteration,unauthorizeddisclosureof,oraccessto,personaldatatransmitted,storedorotherwiseprocessed”.Article3PDPRstatesthatpersonaldatameans“anyinformationrelatingtothedatasubject”.

233Kamerstukken(n190)3.234ImpactassessmentPCD(n8)annex3.

46

The PCD covers “incidents having a significant impact on the security of the coreservices”. The Commission states that the “the threshold for significance could bedefinedinrelationtotheimpactthatthebreachmayhaveontheoperationofnetworksorservices.Averyimportantaspectinthisregardistheperspectiveoftheconsumersorcitizens that could be affected, and this is something that will vary from sector tosector”.235According to theDutch initiative, a securitybreach that is likely to infringeinformation systems andpotentially lead to societal disruption fallswithin the scope.Thisiscomparablewiththe“significantimpactonthesecurityofthecoreservices”.Thetermswillbeclarifiedinthefinallegislation.

3.3.4 Notificationauthorityandtreatment

ThePDPRconstitutesasupervisoryauthority(Article31(1)PDPR)forthenotificationof security breaches. The supervisory authority shall be established by the MemberStatesaccordingtoArticle46PDPR.Thenotificationmustbesendwithin24hoursafterthe breach. The supervisory authority shall also be responsible for a consistentapplicationoftheEuropeanSBNL.Article 14 (2) PCD states that, in case of a security breach, the (national) competentauthoritymust be notified. The NCSC or sectoral supervisors will be the supervisingauthority in the Netherlands.236The Dutch initiative aims to treat the initiativeconfidentially. 237 Confidential treatment would minimize the negative effects ofreputationaldamage.Moreover,bytreatinganotificationconfidentially,companiescanprotect confidential competitively sensitive information included in a breachnotification,forexampledetailsaboutthenumberofclientsandcompetitivelysensitiveinformation.238TheNCSC shouldbe themainDutchbodyof expertise for cooperationand information sharing.Thereforecompanies shouldhave incentives to complywiththelegislation,becausetheyshouldbenefitfromthisinformationsharing.ThePCDdoesnotmentionaconfidentialtreatment.

3.4 Conclusions

TheUnitedStateswerethefirst toestablishanSBNLforpersonaldata.TheEuropeanUnion followed by adoptingDirectives concerning personal data and loss of integritybreachnotificationsforthetelecommunicationssector.ThepersonaldataSBNLwillgetgeneralapplicabilityifthePDPRwouldbeadopted.ThePCDaimstostimulateMemberStatestoadoptageneralbreachnotificationfocusingona lossof integrity.Before theproposal of thisDirective, aDutch legislative initiativeon anSBNL concerning lossofintegrity had already been introduced. The PCD directs Member States to cover all235ImpactassessmentPCD(n8)annex2.236Kamerstukken(n190)3.237InterviewwithJosLeenheerandHeinVerweij,PolicyAnalysts,NCSC,MinistryofSafetyandJustice(TheHague,theNetherlands,28November2012).238Ananalogyherecouldbethenotificationofsexualabuse.Peoplewhoaresexualabusedareoftenreluctanttonotifythisbecausetheyarefrightenedforrepercussionsoftheperpetrator.Ahighdegreeoftrustinconfidentialtreatmentcangivethesepeopleanincentivetonotify.Apartfromthat,notificationinanonymitysuchasnotificationpointslikethe‘Kindertelefoon’and‘MeldMisdaadAnoniem’canbesuccessfultoovercomethisreluctance.

47

sectors, while the Dutch initiative only covers vital infrastructures. It is howeversomewhatconfusingthatthePCDaimstoattainminimumharmonizationregardinglossofintegritySBNLs,whilethePDPRfullyharmonizespersonaldataSBNLs.The cases Volker Schecke and Scarlet Extended show the European Court of Justicerequiresspecificaimsofthelegislationandprohibitsunnecessaryinfringementsofforinstancethefundamentalrighttoconductbusiness. Incontrast, theaimsoftheSBNLsproposedby theCommissionarenotvery specificandoperationalized.Moreover, theSBNLsimposeburdensoncompanies,forinstancenotificationcoststhatcanamountupto20000euro.ThisquestionstheproportionalityoftheSBNL.There are significant differences between the PDPR and the PCD. The PDPR focusessolelyonpersonaldatabreachesandthePCDfocusesonasignificantlossofintegrity.The PDPR can impose penalties of 1% or 2% of a company’s turnover for non‐compliance,whilethePCDdoes intendto imposepenalties.Someelementsof thetwoproposals are not clear yet. The PCD has an imprecise definition of a breach. Thenotification authorities are not explicitly described (except for theNCSC in theDutchinitiative)anditisunclearhowtheEuropeanlegislationwillbeenforced.The two simultaneously proposed initiatives overlap, are regulated by different legalinstruments and emit different signals and incentives. The European Commissionconfirms this overlap by admitting that a loss of integrity can also mean a loss ofpersonal data. The simultaneous adoption of a Regulation and a Directive can createunnecessarycostsforMemberStatesbecausemultiplesupervisoryauthoritiesneedtobeconstitutedtonotifyasecuritybreach.Nevertheless,thetwoproposalsareregulatedin a different way. This potentially imposes unnecessary administrative burdens forcompaniesbecausetheyhavetocomplywithmultipleregimes.Theproposalsalsoemitdifferentsignalsandincentives.Forinstance,theconfidentialtreatmentinthePCDwillnot function properly if simultaneously companies are forced to publicly disclose thesameinformationinthePDPR.TheanalysisofeffectsofSBNLsinpartβbymeansofliteraturereview,quantitativeandqualitativeanalysiscancontributetothequestionwhetherandinwhichconfigurationthecurrentapproachiseffectiveandnecessarytoattaintheobjectivespursued.

48

Partβ:effectsofsecuritybreachnotificationlaws

Inpartα,theoriginsandpositionoftheEuropeansecuritybreachnotificationlawhavebeenmapped.

ThispartanalyzestheeffectsofSBNLs. Tostructuretheempiricalstudy,afirstandsecondordereffectofSBNLsare

distinguished. Thefirstordereffectistheeffectof(characteristicsof)SBNLsontheamountof

breachnotifications.Generatingnotificationsisnotoneoftheaimsoftheproposedlegislation,butameanstoachievethesecondordereffect.

Thesecondordereffectincludesthepositiveandnegativeeffectsofthelawonsociety.

Aliteraturereviewisconductedtoprovideanoverviewofwhatisalreadyknownconcerningthosetwoeffects.

ThequantitativeanalysissystematicallyassessesthefirstordereffectofAmericanSBNLsbyalongitudinaldatasetcontainingsecuritybreachnotifications.

ThesubsequentqualitativeanalysisreviewstheperceptionofDutchsecurityexpertsandmanagersregardingthefirstandsecondordereffectandoutcomesofthequantitativeanalysis.

49

4 Literaturereviewoneffects

ThischapterconcernsaliteraturereviewontheeffectsofSBNLs.Thefollowingcausalstructurehasbeenintroducedtodistinguishthefocusofthethreetypesofanalysisonthe effects of SBNLs.This literature review introduces an analysis of first and secondordereffectsofSBNLs.

Figure5:firstandsecondordereffectsofSBNLs

Theeffects aremostlyderived fromAmerican literature,where the topic is discussedextensively andwhere there is a long experiencewith SBNLs.The analysis is used toenhancetheproportionalitytestofproposedSBNLsintheEuropeanUnion.239ThefirstordereffectofSBNLsentailstherelationshipbetweendesignparametersofalaw and the amount of notifications from companies experiencing a security breach.This mostly concerns compliance with the law. Compliance will be interpreted asnotifying a security breach within the scope of the law. The regulatory compliancetheoryprovides a framework todiscuss incentives for actors to complywith the law.Within thissubject, there isashort intermezzoaboutcostofcompliancecomparedtowithholding a security breach. These incentives for compliance can be used to drawhypothesisinthequantitativeanalysis.The second order effect includes the positive and negative societal effects of SBNLs,includingtheaimspursuedinlegislation.Inliterature,thereareanalyticalsuggestionsandempiricalmeasurementsaboutthesecondordereffectsofanSBNL.240Thesecond

239TheEuropeanproposalsentailtheconstitutionofanewlegalinstitution,whichprobablyhasdifferenteffectsthantheexperienceintheUnitedStates.Moreover,thisresearchconcernshumanbehaviorondifferentlevels,suchastheindividuallevel,organizationallevelandnationallevel.Altheselevelsgenerateadifferenttypeofbehavior,whichwillleadtoincentivestonotifyofwithholdanotification.Therealworldofmakinganotificationisthusinherentlymorecomplexthanthecausalstructurepresentedthatservesasabasisforsubsequentempiricalanalysis.240Moore(n73)584.

50

order effect will be discussed in this literature review and in subsequent qualitativeanalysis.

4.1 Firstordereffect

Inthissection,compliancewillbediscussed.Knowledgeaboutcomplianceisimportanttounderstandwhatdrivescompaniestonotifyasecuritybreach.

4.1.1 Theregulatorycompliancetheory

Theregulatorycompliancetheoryprovidesassumptionsforthemotivationofactorstocomplywithlegalobligations.241Thistheoryprovidesknowledgeabouttheunderlyingreasonsforcompaniestomakenotifications.242AyresandBraithwaitewerethefirsttodistinguish profitmaximization (the logic of consequences) andmorality (the logic ofappropriateness)asmainmotivationsforcompliance.243Thesemotivationsbothplayaroleintheconsiderationtonotify,buttheirrelativeimportancecanvary.Atraditionalrationalactorhasprofitmaximizationasamainmotivatorandwillperformarationalcost benefit analysis when the decision to notify or withhold a notification must beconsidered.Anactorthathasmoralityasamainmotivationassesseswhetherthelawisappropriate according to internalizedmoral norms.244In this situation a negative costbenefit analysis still can result in compliance. There is empirical evidence that asignificant part of compliance cannot be explained by rationality but is explained bymorality.245Themainmotivationofanactorsteersacompliancedecision.Forinstance,an actor that is non‐compliant because of the immorality of the lawwill not be verysensitive for higher sanctions. Rationality and morality thus both play a role incompliancetheory.TheycanalsoplayaroleincomplyingwithSBNLs.ApurelyrationalactorwouldcomplywithanSBNLifthecostsofcompliancearelowerthanthecostsofnon‐compliance. A rough estimation of the cost of compliance is provided in section4.1.3.Apurelymoralactorwouldcomplywithanappropriate law thatcontributes toInternetsecurity.

4.1.2 Incentivesforcompliance

Enforced sanctions and benefits from information sharing are rational incentives thathave a positive effect on compliance. High sanctions in combination with a vigorousenforcementincreasethecostofnon‐compliance.Theexchangeofinformationandbest

241Forexampleusedby:TomR.Tyler,‘CompliancewithIntellectualPropertyLaws:APsychologicalPerspective’(1999)29NewYorkUniversityJournalofInternationalLawandPolitics219;JulienEtienne‘ComplianceTheory:AGoalFramingApproach’(2011)33(3)Law&Policy305;DurwoodZealke,MakingLawWork,EnvironmentalCompliance&SustainableDevelopment(InternationalLawPublishers2005)53.242Compliancethusisdefinedinthebroadsensebymakingnotificationswhenanotificationlawisadopted.243IanAyres&JohnBraithwaite,ResponsiveRegulation:TranscendingtheDeregulationDebate(OxfordUniversityPress,1992).244Forinstance:Fishermandidnotfishillegallydespitethefactthatillegalgainsweremuchlargerthanexpectedpenalties;theyfoundthelawmoraljust,see:Etienne(n241)308.245JonSutinenandK.Kuperan,‘Asocio‐economictheoryofregulatorycompliance’(1999)26(1/2/3)InternationalJournalofSocialEconomics174.

51

Keyincentivesforcomplianceinliterature Positive

o Enforcedsanctionso Benefitsofinformationsharingo ContributiontoInternetsecurity(appropriateness)

Negativeo Reputationdamage

practicescangivecompanies incentivesforcompliancebecausetheybenefit fromthisinformation.246Manyresearcherssuggestthatreputationaldamageisastrongnegativedriver for companies.247 Reputation damage and subsequently loss of trust byconsumersandcompetitivepowerarecostsofcompliance.Nexttorationalincentives,the regulatory compliance theory distinguishes moral incentives for compliance.Companies can be morally bound to comply with SBNLs because it contributes toInternetsecurity.Empirically, there is little informationonhowthevarious incentivesaffect compliance with SBNLs. Research on the effect of the strictness of a law onidentitytheftsdidnotfindasignificanteffect.248

4.1.3 Intermezzo:roughanalysisofthecostofcompliance

Thissectionprovidesaroughestimationofthecostofcomplianceandthecostofnon‐compliance of the American SBNL and the PDPR. The calculation assumes thatcompanies solely balance enforced sanctions with reputation damage in theirconsideration.Therefore,compliancewouldresultincostsofreputationaldamageandnon‐compliance would result in expected costs of possible reputational damage andpenalties.There is no clear consensus on the effects of reputation damage. Goel and Hawskyestimateda1%lossofmarketvalue,whichisusedinthiscalculationasanassumptionof the reputational cost.249The PDPR imposes sanctions for non‐compliance that canamountupto2%oftheworldwideturnoverofacompany.ThecostofcomplianceofthePDPR is comparedwith the SBNL inMichigan.TheMichiganSBNL is oneof themostvigorous; it has thehighestpredetermined sanctionof750000dollar.The calculationassumes that both states impose the maximum penalty. Moreover, a likelihood ofapprehensionof10%canbe regardedasanoptimisticestimationof theenforcementpowersofasupervisingauthority.250Inadditiontothat,breachescanalsobedisclosedby third parties and probably also will result in a penalty. This likelihood of an

246Mulligan(n54)21;JaneK.Winn‘Are‘Better’SecurityBreachNotificationLawsPossible?’(2009)24(3)BerkeleyTechnologyLawJournal1133.247Forinstance:SanyaGoelandHanyA.Hawsky,‘Estimatingthemarketimpactofsecuritybreachannouncementsonfirmvalues’(2009)46InformationandManagement404;seealsosection4.2ofthisresearch.248Theothersplacequestionmarksatthelimitedsamplesizeofthisobservation.249GoelandHawsky(n247).250(Infactthisisprobablymuchlower,becauseourdatabasecontainsalistofbreachesof0.05%ofAmericancompanieswhilethereareestimationsthat42%ofthecompaniessufferedadataloss.).

52

unintended disclosure is estimated to be 20%. Furthermore, it is assumed that thecompanyconcernedhasapricetosalesratioof5:1andaturnoverof10milliondollar.Theexpectedcostofcomplianceandnon‐compliancearedisplayedbelow.251

In this situation, thecostsof compliancearehigher than the costsofnon‐compliance.Thisismostlyduetothefactthatthelikelihoodofbeingcaughtfornon‐complianceisestimatedaslow,becauseitisassumedthatenforcementisdifficult.AsWinnstates:“Ifthere is no compliancemechanism to be detected, there is no economic incentive tocomplywithalaw,whencompliancewouldbeverycostly.”252However,thiscalculationreliesonafewcontestableassumptions,suchastheheightofreputationaldamage,thelikelihood of apprehension and the imposition of a maximum sanction. Hence, itdemonstrates that high reputational damage in combination with a low likelihood ofapprehensionmake economic incentives to comply absent, even if high sanctions areimposedfornon‐compliance.

4.2 Secondordereffect

AnSBNLcanhavevarious societal effects.Theproblemof cybersecurityeconomics ischaracterized in the introduction.ScholarshavesuggestedeffectsofSBNLsandpartlyprovidequalitativeandquantitativeempiricalevidence.253ThepositiveeffectsofSBNLscancontributetothemitigationoftheproblemofcybersecurityeconomics.Asstatedintheintroduction,theproblemhasthefollowingcharacteristics.254

AnSBNLaims togenerate(more)securitybreachnotifications.According toscholars,thisresultsinanincreaseofinformationandawarenessaboutsecuritybreachesandinanstrengtheningof incentivesto invest insecurity,protectconsumerinformationand

251AcalculationisprovidedinAppendixD.252Winn(n246).253Moore(n73)584.254Seesection1.1.4ofthisresearch.

Expectedcostofcomplianceandnon‐complianceperbreach Costofcompliance(reputationaldamage)

o EuropeanUnion:500000dollaro Michigan:500000dollar

Costofnon‐compliance(possiblereputationaldamageandpossiblepenalty)o EuropeanUnion:210000dollaro Michigan:375000dollar

Imperfectinformationabouteffectivesecuritymeasuresbecauseofthecomplexityofbigdataanddefensesystems.

Negativeexternalitiesonsocietyconcerningthecostsofsecuritybreaches. Underpoweredincentivestoinvestinsecurity,protectconsumers

informationandshareknowledgewithcompetitors.

53

share knowledge about security best practices. On the other hand, an SBNL can alsoresultinhighmaintenanceandcompliancecostsforgovernmentsandcompanies.Romanoskyexpects thatboth firmsandconsumersgain increased incentives toavoidbreachesassoonastheybecomeawareoftheirexistence.255Hecallsthedeterrenteffectof disclosing a security breach: “Sunlight as a disinfectant”. Romanosky analyzed theimpactofAmericanSBNLsontheamountofidentitytheftreportsfromtheU.S.FederalTradeCommissionandfoundanaveragereductionof6.1%infraudratesafterastateadopted an SBNL. Winn places these statements in perspective by stating that thesunlight as disinfectant principle mostly has negative effects for companies: “theshaming functionofSBNLs isdirectandconcrete,whileany incentive they [the laws]provide to improve security is indirect and uncertain.” Winn expects actors to actrationally,andregardsenforcementofnon‐complianceintheU.S.asweakandbenefitsas indirect and uncertain. Consequently, he projects that SBNLs generate littlecomplianceandsubsequentlyimpactonsociety.Contrary to the pessimistic view of Winn that the SBNLs will have little impact,Romanoskyarguesinadditiontothe“Sunlightasdisinfectant”principlethatconsumersshouldhavea“righttoknow”thattheirdataislost.SchwartzenJangersuggestedthatthisrighttoknowandespeciallythesubsequentlyquickawarenessofasecuritybreachby consumers have positive impact on mitigating losses.256Mulligan derives relevantobservationsfrominterviewswithchiefsecurityofficersofanumberoflargeAmericanfirms. They are positive about the effects of SBNLs and also perceive consumerawarenesstobeheightened.257Moregeneral,theyperceivedthat“notificationlawshaveraised the level of awareness of the importance of information security” and “havefostered cooperation between information security departments”.258Moreover, theyconfirm the sunlight as disinfectant principle by perceiving an incentive for securityenhancement: “fear of reputation damage, in addition to the notification requirementitself,drivesorganizationstotakestepstoatleastevaluate,ifnotcorrectandenhance,security mechanisms”.259They also underlined the benefits of information sharing:“security breaches at other organizations provide CSOswith information on new anddevelopingformsofthreats”260and“responsibilityforthelossofpersonal informationhasresultedinaninformalsystemofindustryself‐regulation,asorganizationsarenotonlystrengtheningsecurity,butarerequiringthatotherorganizationsthathandletheirdatameettheirstandardsaswell”.261The reputation damage that companies experience after a security breach has beenmade public has been the subject of frequent empirical measurement. Reputation255SashaRomanosky,RahulTelang,AllesandroAcquisiti,‘DoDataBreachDisclosureLawsReduceIdentityTheft?’(2011)30(2)JournalofPolicyAnalysisandManagement256,262.256PaulM.SchwartzandEdwardJ.Janger,‘NotificationofDataSecurityBreaches’(2007)105MichiganLawReview913,971.257Mulligan(n54)24.258Ibid,4.259Ibid,14.260Ibid,21.261Ibid,22.

54

damageisestimatedbymeasuring thevalueorperformanceofcompaniesbeforeandafter a notification. Goel and Hawsky estimated the impact of security breachannouncements on firm values. They used event studymethodology to study breacheventsfromthemedia.Afewdaysbeforeandafterthenotionofasecuritybreach,themarketvalueofacompanywasmeasured.262Theyfoundanegativeimpactafewdaysafterthebreach,onaverageabout1%ofthemarketvalue.Cavusogluidentifiedthroughasimilarapproachanincidentallossofstockpricesof2.1%.263KoandDorantesusedamatchedsamplecomparisonanalysisinsteadofeventstudymethodologytoinvestigatethe impact of security breaches on firm performance.264The results suggested “thatinformationsecuritybreacheshaveminimallong‐termeconomicimpact”Thereisthusnotaclearconsensusofthelong‐termeffectsofabreach.Howeverabreachdoeslikelyeffectmarketvalueontheshortterm.A vigorous enforcement regime andmany notifications to be processed can result inhigh social costs. Governments incur costs for maintaining and constituting theenforcement and notification processing system. Companies incur costs in complyingwith the law, for instance to assign employees to the process of notifying.265If theprobability of a security breach is low, but enforcement high, companies can makeunnecessary costs by overreacting by for example constantly review credit cards ofcustomers.266

262GoelandHawsky(n247).263HuyesinCavusoglu,BirendaMishraandSrinivasanRaghunathan,‘TheEffectofInternetSecurityBreachAnnouncementsonMarketValue:CapitalMarketReactionsforBreachedFirmsandInternetSecurityDevelopers’(2004)9(1)InternationalJournalofElectronicCommerce69.264MyungKo,andCarlosDorantes,‘Theimpactofinformationsecuritybreachesonfinancialperformanceofthebreachedfirms:anempiricalinvestigation’(2006)16(2)JournalofInformationTechnologyManagement13.265Winn(n246)1135.266Romanosky(n255)260.

KeyeffectsofSBNLsdiscussedinliterature Positive

o “Sunlightasadisinfectant”:increasedinvestmentsinsecuritybycompanyandconsumers

o “Righttoknow”:awarenessofconsumersofsecuritybreacheso Fosteredcooperationbetweencompanieso Fasterriskmitigationafterabreach

Negativeo Companies:(fearfor)reputationdamageforcompanieso Governments:societalcostsofprocessing,enforcemento Companies:increasedinvestments,fosteredcooperationand

compliance

55

4.3 Conclusions

Thischapterhasoutlined thediscussion in literatureabout the firstandsecondordereffectoftheSBNL.Accordingtotheliterature,thedesignofnotificationlawsdeterminesthemagnitudeof the firstordereffect; theamountofnotifications.Sanctions,benefitsfrom information sharing and appropriateness give incentives for compliance.Reputational damage gives incentives for non‐compliance. The cost of compliance ispossiblyhigherthanthecostsofnon‐compliance.Asaconsequence,arationalactor,asspecifiedinsection4.1.3,willnotcomplywithanotificationlaw.Thereservationshouldbe made that this cost calculation is based on contestable assumptions, for instancerelativelowenforcementandhighreputationaldamage.Theincentivesforcompliancethatare identified inthischapter,areessential informationfordrawinghypotheses inthesubsequentquantitativeanalysisinsection5.3.Anumberof important societal (secondorder) effectsof SBNLsaredeveloped.Thereare positive effects, such as increased security investments andawareness. There arealsonegativeeffects,suchascostsofthenotificationsystemandadministrativeburdensofcompanies.TheseeffectsareimportantbecausetheyformasubstantiveinputfortheproportionalityassessmentoftheEuropeanUnionlegislativeproposals.

56

5 Thedataset

This chapter prepares a dataset in order to testwhether characteristics of AmericanSBNLs affect the amount of breach notifications. The United States of America haveadoptedgeneralapplicableSBNLssince2003.ThisisdifferentfromtheEuropeanUnionand the Netherlands, where legislation is in the design phase.267The American lawsfocuson lossof personaldata and thushave themost in commonwith theEuropeanUnionproposalontheprotectionofpersonaldata.TheaimofthisandthesubsequentchapteristolearnfromthisAmericandatainordertomakerecommendationsforthePDPRandthePCD.Thedataset,whichcontainsempiricaldataaboutsecuritybreaches,canassistinunderstandingwhethertheseclassificationsrelatetocompliance.Indeed,ifanSBNLiseffectiveincausingmorebreaches,thisinprinciplecanbeidentifiedbyanincreaseoftheamountofsecuritybreachesinthedataset.In section 5.1, the dependent variable is constructed: security breaches per firm perstate per year. The dataset, from which the dependent variable is constructed, isintroduced first: the Privacy Rights Clearinghouse dataset, which contains securitybreachesfrom2005until2012.Thedatasetconcernslongitudinaldata:dataofmultiplesubjects (states)withmultiplemeasurements in time (years). Second, the dependentvariable isdevelopedby restructuring thedata.Attention ispaid toomittedvariablesbetween states and and over time that can influence the dependent variable. Thisdiscussionresultsinthedecisiontocontrolfortheamountoffirmsinastate.In section 5.2, the American SBNLs are classified based on 6 aspects that cover thedesignparameterssanctioning,scopeandnotificationauthorityconstructedinchapter3.Theseclassificationsare the independentvariablesof thequantitativeanalysis thatwillbeexecutedinthenextchapter.268

5.1 Thedependentvariable:securitybreachesperfirmperstate

Withsomeexceptions,U.S.supervisoryauthoritiesdonotrecordtheamountofofficialnotifications flowing from the legal obligation to notify.269The intended quantitativeanalysis thus has to rely on secondary data of organizations that collect and registersecuritybreaches.ThedatasetofaCaliforniannonprofitorganization,calledthePrivacyRightsClearinghouse, isused for thispurpose.Thegoalsof thisorganizationare interalia to “document the nature of consumers complaints” and “answer questions aboutprivacyinreports,testimony,andspeechesandmakethemavailabletopolicymakers,industryrepresentatives,consumeradvocatesandthemedia.”270Apartofthisworkis

267Seesection3.1.2ofthisresearchfortheEuropeanUnionSBNLfortelecommunicationnetworks.268ThesoftwarepackageIBMSPSSStatisticsisusedtoperformtheanalyses.269‘ThePrivacyRightsClearingHouseDataBase’(PrivacyRights.org,2013)<https://www.privacyrights.org/data‐breach>accessed1February2013.270Ibid,under:‘Aboutus’.

57

themaintenanceandconstructionofadatasetcontainingsecuritybreaches.Thedatasethas strengths and weaknesses. A strength is that the Privacy Rights ClearinghousedatabaseonlyregistersU.S.securitybreachesandthatallU.Sstatesbetween2005and2012 are covered.271The 3554 breach reports contain several characteristics of asecuritybreach,suchasaresumeofthebreach,theamountofrecordsbreachedandthesector,thestateandyearinwhichthebreachoccurred.272Aweaknessisthatthedatasetis an aggregation of multiple security breach databases (hereafter: sources). Thosesources are notmutually exclusive as they can contain the same breaches. However,duplicationshavebeenfilteredout.Apartfromthat,somesourcesareaddedinalaterstageofthedatacollection,whichcangiveafalseimpressionofanincreasednumberofsecurity breaches over time. Moreover, the representativeness of the data isquestionable:lessthan0.05%oftheU.S.companiesisrepresented,whileitislikelythatamultipleof thatsufferedasecuritybreachbetween2005and2012.Besides,severalactors,suchascompanies,consumersandthirdpartiescanbethereportersofabreach,while the interest of this research solely lies at companies that notified their ownbreaches in order tomake statements about compliancewith the law.273The PrivacyBreachClearinghouse,however,claimsthatmostofthebreachescomefromtheharmedcompanies by stating that “if a breached entity has failed to notify its customersor agovernment agency of a breach, then it is unlikely that the breach will be reportedanywhere”.274Forthisresearch,theofficialfiftyUSstateswillbeusedforanalysis.Thus,the District of Columbia, Puerto Rico and the Virgin Islands are omitted from thedatabase.

5.1.1 Descriptionofthesecuritybreachesinthedatabase

Adescriptiveanalysisof thecharacteristicsofa securitybreach in thedataset for theyear2012showsthatthesizeandfashionofsecuritybreacheswidelyvaries.In2012,675breacheswereregistered.Inmostofthecases,abreachcontainsmultiplerecords:theamountofpeopleaffectedbythebreach.Thesizeofthebreachvariesbetweenafewrecords and millions of records. There are small breaches (less than 1000 records),mediumsizebreaches(between1000and10000recordsbreached)andlargebreaches(morethan10000recordsperbreach).Thesizeof246breachesisunknown.Almostallstates have small, medium and large breaches. California, for instance, contains 122breaches.Thisvariesfrom15affectedpeople(Ahospitalemployeethatusedcreditcardinformation of cancer patients) to a big LinkedIn data breach, which contained 6.4million encrypted passwords that were posted online by a group of hackers. In

271Ibid.272Thebreachesareclassedbysector:businesses(retail,financial/insuranceandother),educationalinstitutions,governmentandmilitary,healthcareandnon‐profitorganizations.273Firmsnotifyatheirownbreaches,butcustomersandthirdpartiesnotifysuspiciousinformationontheInternet.274ThePrivacyRightsClearingHouseDataBase(n269).

Breach:anoccasionofasecuritybreach.Record:theamountofpeopleaffectedbyabreach.Source:theunderlyingdatabasethatcollectedthebreach.

58

Washington, 16 breacheswere reported: the smallest breach reported consists of 16records (a small credit card fraud). The largest breach affected 35million people byhackedpassword information an online gaming platform. InVirginia, therewere alsosmallbreaches,suchasabreachwith30records inNovember2012inthehealthcaresector.Thelargestbreach(176567records)containedasecurityhackoftheserverofVirginiaCommonwealthUniversity thatcontainedpersonal informationof formerandcurrent employees, students, staff and affiliates. Some breaches only include recordssuchaspasswordsfromaparticularwebsitesuchastheLinkedIndatabreach,whileinothercasespeopleareaffecteddirectly,forexamplethroughtheuseofstolencreditcardinformationforfraudulentactivities.Therefore,thenumberofrecordsbreachedisnotaveryaccurateunitfortheimpactofthebreach.Basedonthisanalysis,asmallerbreachgenerally has a higher impact per record than a larger breach, but larger breachescompensatethisbyamultiplicityofrecords.TheEuropeanCommissionconfirmedthisobservationintheimpactassessmentofthePDPR:

“Thenumberofindividualsconcernedbyabreachcannotbeusedasa severity criterion, as the possible risk for any individual is notdependent from the number of others that are concerned by thesame incident. In some circumstances damage may even be morelikely when less individuals are concerned, e.g. if a hacker obtainsonly a few credit card records, each onemay have a much higherprobability to be used for fraud thanwhen severalmillion recordsarestolen.”275

Below,thedistributionofallbreachesisgivenfor2012andtheentiredataset.Itshowsthatmostbreachesarenotcategorizedandthatthesizeofbreachesisdistributedfairlyevenly. Intheeight‐yearperiodobserved, intotal,600millionrecordswerebreached.Thethreelargestbreachescontainmorethan300millionrecords.

Figure6: total records in2012 (left)and2005‐2012 (right) (1=0‐1000;2=1001‐10000;3=10001+;4=unknown)

275ImpactAssessmentPDPR(n6),section14.1.4,under4).

59

5.1.2 Sourcesofthedatabase

The database is an aggregation of several security breach notification sources. Theamountofnotificationspersourceandtherepresentationof thesectorsareshown inthefiguresbelow:

Figure7:differentsourcesindatasetfrom2005until2012andsectors.276

Most of the breaches come from the Dataloss DB database. As of January 2010, thesourcesDatabreaches.net,PHIPrivacyandNAIDareincluded.AsofMarch2012,thelistof theCaliforniaAttorneyGeneral is included.277As said, thesourcesarenotmutuallyexclusive, which entails that one occasion of a security breach can both be found inDatalossDB,themedia,andbytheAttorneyGeneralofCalifornia.PHIPrivacy,‘HHSvia’and NAID mostly include medical breaches, which is also problematic from arepresentativeness point of view. Herafter, two examples of sources that are notrepresentativearedisplayed:thesource‘CaliforniaAttorneyGeneral’representsmostlybreaches from California and PHIPrivacy.net containsmostly breaches in themedicalsector.

276Thesectorsarelabeledasfollows:BSO‐Businesses–Other;BSF‐Businesses‐FinancialandInsuranceServices;BSR‐Businesses‐Retail/Merchant;EDU‐EducationalInstitutions;GOV‐GovernmentandMilitary;MED‐Healthcare‐MedicalProviders;NGO‐NonprofitOrganizations.277ThePrivacyRightsClearingHouseDataBase’(n269)under‘FAQ’.

60

Figure8:representativenessissues:breachesperstatefromthesource‘CaliforniaAttorneyGeneral’andsectorofbreachesofPHIprivacy(medicalisred).

Althoughthedatabasedoesnotcontainduplications, theexclusionofsources thatarenot representative for the population or added in a later stage could be problematic.Breachesinthesourcesthatarenotrepresentativecanoriginallyalsoberepresentedinsourcesthatarerepresentative,beforetheywerefilteredoutbecauseoftheduplicationexclusion. Those breaches would be falsely excluded if the sources that are notrepresentativewouldbeexcluded.Theriskoffalselyexcludingbreachesattheonehandandrepresentativeissuesofsomesourcesattheotherhandemerged.Therefore,atwo‐track approach is adhered to systematically mitigate this risk. This consists of theconstructionoftwoseparatedependentvariables.Thefirstisbasedonallsourcesandthe second is based solely on the breaches that come from Dataloss DB anddatabreaches.net. These two sources are selected because they are the two largestsources, clearly overlap and do not have striking representativeness issues. Thedistributionofthesectorsofthedatabasewiththeselectedsourceslooksasfollows.

Figure9:distributionofsectorsofselectedsources

61

5.1.3 Restructureddata:breachesperyearandperstate.

Inorder toanalyzebreachesperyearandper state, the rawdatabase is restructuredinto a list of 400 cases containing the amount of breaches per state for each yearbetween2005and2012.(50statescontaining8yearsofdata)278Thefollowinggraphonly displays year after year effects. The total amount of breaches of 50 states issummarizedperyear.

Figure10:breachespersource(0=selectedsources;1=allsources)

Aninconstantincreaseoftheamountofnotificationscanbeobserved.Itmustbenotedthat from2010on, the new sources thatwere added to the database can explain theincrease of notifications. Apart from this, a remarkable decline is visible in 2008 and2009.Thiscouldberelatedtothefinancialcrisis,althoughthisremainsspeculation.Thefollowing graph represents the amount of records per source per year. It is clearlyvisiblethattheDatalossDBanddatabreaches.netsourcesoverlap.Thisoverlapisoneofthereasonsthatthetwosourcesareselectedtogether.

278Therawdatabasecontainsof3554cases(allsourcesincluded)or2506cases(selectedsources:DatalossDBandDatabreaches.net).

62

Figure11:breachesperyearpersource

Afterthevisualizationoftheamountofbreachesperyearandpersourcethetableoftherestructureddataandthedistributionoftheamountofbreachesperstateandperyeararedisplayed. 2005 2006 2007 2008 2009 2010 2011 2012Alabama 0 2 6 2 2 2 11 8Alaska 0 1 1 0 1 2 2 3Etc. … … … … … … … …Total 133 454 434 345 242 586 554 647

Table2:visualizationofrestructureddata:Breachesperstateperyear(allsources)

63

Figure12:breaches (circle isamountofbreachesperyearper state;all sourcesand50statesincluded)

The low amount of breaches per state in combination with the low amount of firmsrepresented gives the risk of representative errors, becausemeasurement errors canchangethepictureofthedatainthestate.Thedistributionandthevisualinspectionofthe table with the restructured data shows that most states had between 0 and 20breachesper year anda few stateshave a lotmorebreaches.The average amountofbreachespercaseis9(allsourcesincluded).Apartfromtheserepresentativenesserrors,afewassumptionsaboutthedatasetneedtobemade.The firstassumption is that thedistributionof theamountofrecordsperbreachisequaloverallthestates.Withthisassumption,thereisnoneedfortakingthewide variation of records into account. In the sameway, an equal distribution of theoriginofthebreachesisassumed.Becauseitisimpossibletoexcludethirdpartiesandconsumers of the database, it is assumed that they are distributed equally among allstates. Thismeans that the dataset is in someway representative for the amount ofbreachnotificationscomingfromfirmsthatfallunderanSBNL.Moreover,itisassumedthat different sectors respond in a similar manner to security breaches. Theseassumptionsneedtobemadebecausethesubjectsassumedcaninfluencetheoutcomesof the analysisbut cannotbe filteredor controlleddue to limitations in themodel ortime constraints. Therefore they will not be tested empirically, but are taken intoaccountwhilemakingconclusionsabouttheresultsofthequantitativeanalysis.

64

5.1.4 Variationsbetweenstates:amountoffirms

Therearemanydifferencesbetweenstatesthatcanexplainthedifferencesbetweentheamount of breaches per state, for example, criminal activity, the cultural attitude tocomply with laws, the GDP, population and Internet percentage rate. The differencebetweentheamountsofbreachesperstatecanpossiblyalsopartlybeexplainedbythesizeof thestate.Somestates inAmericasuchasCaliforniaandTexasaremuch largerthanothers.Therearemoresecuritybreachesreported in largerstatesbecause therearemore firms that can be breached.279A possible controlling variable for this issuecouldbe theamountof firms,because firmsmakenotifications.Therearea few largestates(forinstance,California,TexasandNewYork),withalotoffirmsandmanysmallstateswithrelatively fewfirms.Theamountof firms inastate foreachyearbetween2005and2010isused,whichalsoembodiesdifferencesbetweentheamountof firmswithinastatesizeovertime.280Ascatterplotofthelogarithmofbreachesandfirmsperstateshowsavisualrelationship.

Figure13:scatterplotoflog_breachesandlog_firms(Selectedsourcesright)

Acorrelationanalysisshowsasignificantcorrelationbetweentheamountofbreachesandtheamountoffirms.CorrelationlogBreachesandFirms_per_state Coefficient Significance Allsources Selectedsources Pearson .805 .832 .000SpearmansRho .771 .777 .000

Table3:Correlationanalysis

When running a standard linear regression, it is shown that thenumberof firms in astateexplains65%(allsources)or69%(selectedsources)ofthevarianceoftheamountofbreaches inastate. Inastepwiseregressionallothercontrolvariables(population,

279Theconcentrationofvulnerableinformationtechnologyservices,suchasinSiliconValleyinCaliforniacanbeanotherexplanationforahighernumberofbreaches.Thisvariationwillnotbediscussedinthisthesis.280‘FirmsinU.S.states’(Census.gov,2013)<http://www.census.gov/econ/susb/>accessed13June2013.Theamountoffirmsperstatewasavailableupto2010.Therefore,2011and2012have2010values.Thedistributionoffirmsizeperstateisassumedtobeequal.

65

Internetpercentagerateandgdp)areexcluded.Thevisualinformation,thecorrelationandregressionindicatesthatbreachescanlargelybeexplainedbytheamountoffirmsinastate.Therefore,thisstudycontrolsforthistypeofvariance.Inordertodothis,thevariableBreaches_per_firmisconstructed:theamountofbreachesperstatepermillionfirms. The distribution of Breaches_per_firm is spread more evenly than Breaches.Breaches_per_firmwillbeusedasafinaldependentvariable.

Figure14:breachesperfirmperstate(allsourcesand50statesincluded).

5.1.5 Variationsovertime:Internetsecurity

Justliketherearemanydifferencesbetweenstates,therearealsovariablesthatdifferover time that can explain the differences of the amount of breaches over time. Theparticular influence of improved Internet security will be highlighted in this section.Effectivenotificationlawswilleventuallyresultinlessbreachnotifications,becausethelaws improveInternetsecurity.281InAmerica, theeffectofbreachnotification lawsonInternet security, measured as the amount of identity thefts, is 6.1%, which can beconsidered quite low.282 However, this effect, andmore particularly its lag time andimpact, is not measured for the current dependent variable. Therefore, a roughestimation is performed to get a sense of this effect. To do this, the development ofstates thathadahighnumberof breaches in thedevelopingperiod (2005‐2008)283iscomparedwithcountriesthathadalownumberofbreachesinthesameperiod.Forthisanalysis, the five states that have the highest amount of breaches per firm in thedeveloping period are grouped. The same is done for firms with a low number ofbreachesper firm.Bothvaluesarecomparedwith theaveragenumberofbreaches inthe mature period (2009‐2013).284One would expect that a relative high number ofreportedbreachesinthedevelopingperiodwouldresultinastrongerdecreaseorless

281Ceterisparibus:otherfactorsthatinfluencetheamountofnotificationsovertime,suchastheactivityofcybercriminalsresultinginincreasedInternetinsecurity,stayatthesamelevel.282Ceterisparibus,seeRomanosky(n255).283Inthedevelopingperiod,onlyafewstateshadadoptedanSBNL,seesection5.2.1ofthisresearch.284Inthematureperiod,moststateshadadoptedanSBNL,seesection5.2.1ofthisresearch.

66

increase of notifications with respect to the states with an initial low number ofnotifications, because of relatively enhanced Internet security. It is assumed thatexogenous effect of Internet security develops in the samemanner for all states, thatbreacheshave a similar effect on Internet security and that Internet security is equaloverstatesatthebeginningofthemeasurements.Thechangeofbreachesovertheyearsinbothgroupsisdisplayedbelowforallsourcesandselectedsources285 Average breaches per

firm2005‐2008Average breaches perfirm2009‐2012

Allsources

Selectedsources

Allsources

Selectedsources

Lowest5amountofbreachesperfirmin2005‐2008(rounded)(Wyoming,NorthDakota,Arkansas,Mississippi,Missouri)

75 75 190 120

Highest5amountofbreachesperfirmin2005‐2008(rounded)(RhodeIsland,Connecticut,Ohio,Indiana,Montana)

410 365 425 255

Table4:positiveeffectsofnotifications

Theresultsshowthatstateswithalowamountofbreachesroughlydoubledtheamountof breaches thatwere notified. States that already had a high amount of breaches onaverageshowedaminorincreaseinthecaseofallsourcesandastrongdecreaseifonlythe selected sources are taken into account. This absence of notification laws in thestateswithalowamountofbreachescanpartlyexplainaloweramountofnotificationsinthedevelopingperiod.Wyoming,MissouriandMississippididnothaveanSBNLfrom2005until2008butArkansasandNorthDakotadid.Statesthatcontainedthehighestamountofbreachesperfirminthedevelopingperiodallhadadoptedalawin2006.Buttheresultscouldalso indicatethat, tosomeextent,asecurity feedback loopexists.Ontheotherhand,theamountofcasesinthedataisverylow,onaverage9breachesperfirm if all the data is included. It is hard to believe that a fewbreaches have such animpactonInternetsecurity.286ThenegativefeedbackloopofInternetsecuritythereforeisexpectedtohaveacertaineffect,butamoredetailedanalysisisneededtoanalyzethisinsubsequentresearch.

5.2 Independentvariables:classificationsofAmericanSBNLs

The aim of this data analysis is to learn from U.S. data on SBNLs in order to makerecommendations for theEuropeanandDutch legislativeproposals.This requires theconstruction of independent variables that contain aspects of an American SBNL. Forthis purpose, the laws itself and different legal sources from U.S. governmentinstitutionsand law firmsareconsulted inorder todistinguishandmap thedifferentaspects.Itwouldbemostdesirabletoquantifythoseaspectsonaninterval/ratioscale,

285Selectedsources:thedatasetthatonlycontainsthesourcesDatalossDBandDatabreaches.net.286However,itcouldbethatmorebreachesarenotified,andthatinreality,thisnumberaccountsforalargeamountofbreachnotifications.

67

butthisprovedtobeverydifficult,asitishardtodistinguishequaldifferencesbetweenmultiplevaluesperaspect.Therefore,severalaspectsofthelawhavebeenclassifiedondichotomicscale.Iftheparticularlawhasthisaspect,itisclassified‘1’,else‘0’.287

5.2.1 Introductiondate

Theintroductiondateisthefirstaspectofthelawthatismapped.288Forthispurpose,data from theCommercial LawLeagueAmerica (CLLA) is used.289Thisdatabase is anauthoritative synthesis of legal analysis, which covers among others the introductiondate of American SBNLs and key provisions of the law. The data is updated untilDecember2011.Afterthisdate,noadditionaladoptionsofSBNLshavetakenplace. 2005 2006 2007 2008 2009 2010 2011 2012

U.S.StateswithanSBNL 11 27 36 41 45 45 46 46 Developingperiod Matureperiod

Table5:numberofSBNLsperyear(outof50U.S.States)

Most states adoptedanSBNL in the yearsbetween2005and2008.This is called the‘developing’period.Between2009and2012 thevastmajorityofstateshavea law inplace: the ‘mature’ period. Those periods will be used in the quantitative analysis inchapter6.Itisremarkablethatthedatasetalsocontainsbreachesfromyearsandstatesthat do not have a law. Those aremost likely voluntary notifications or notificationsfromconsumersorthirdparties,butindicatethat,contrarytothestatementsmadebythe PrivacyBreachClearinghouse, a significant part of the breaches could come fromotherreportersthanthecompaniesaffected.

5.2.2 Sanctioninglaiddowninthelawhigherthan50000dollar

The sanction for not complying with the law differs between states. Not complyingmeans not notifying or not notifying in due time or according to the formalrequirementsdemanded.14 lawscan imposeamaximumsanctionof50000dollarorhigher. Somestatesdonotpredefinea sanctionbut consider it a taskof theAttorneyGeneral to impose a sanction,which could possibly be higher than 50000dollar. Theclassification sanctioningthereforemeans that there is a predefined penalty of 50000dollar or higher.These laws are labeled 1. For this classification, a legal analysis thatcontainsaspectsofallAmericanSBNLsmadebythelawfirmMintzLevinhasbeenused.Mintz Levin is a large US law firm with approximately 400 attorneys specialized inprivacy and security, which made this chart for information purposes. 290 The

287TheclassificationsperstatearedisplayedinappendixB.288Mostlawshavebeenamendedinsomeformaftertheiradoption,butmostamendmentsconcernanincrementalalterationofthelaws.Thus,therefore,theintroductiondateisusedfortheanalysis.289‘DataBreachNotificationLawsbyState’(CLLA,December2012)<http://www.clla.org/documents/breach.xls>accessed12June2013.290‘StateDataSecurityBreachNotificationLaws’(MintzLevin,1December2012)<http://www.mintz.com/newsletter/2007/PrivSec‐DataBreachLaws‐02‐07/state_data_breach_matrix.pdf>accessed13June2013.

68

classificationiscomparedwithasimilarchartofBakerHostetler,asimilarU.S.lawfirmwith800attorneys.291

5.2.3 StrictnessdefinedbyRomanosky

Based on the examination of state laws, Romanosky, a researcher in the field ofcybersecurity,highlighteda fewstateswhichshouldbestricter thanaverageafter theconsultation of attorneys. These are California, Hawaii, Maryland, Massachusetts,Minnesota, Rhode Island, Tennessee, Vermont, and Virginia. Those states all have thefollowing characteristics: “they are acquisition‐based (forcingmore disclosure from alowerthresholdofbreach);coverallentities(businesses,databrokersandgovernmentinstitutions);andallowforaprivaterightofaction(i.e., individualorclassaction lawsuits).”292

5.2.4 Individualshaveaprivaterightofaction

A possible important distinction between the U.S. laws iswhether individuals have aprivate right of action. This means that people injured by a violation of the breachnotificationmay institutea civil action to recoverdamages.Theremusthoweverbearelationbetweenthefailuretonotifyandthedamagescaused.Statesthathaveaprivaterightofactionare labeled1.14 lawsallow foraprivate rightofactionof individuals.ThisclassificationisbasedonthechartofBakerHostetler.293

5.2.5 Scopeofpersonalinformationisbroaderthangeneraldefinition.

According to Baker Law, the general definition of personal information is “Anindividual’s firstnameor first initial and lastnameplusoneormoreof the followingdataelements:(i)SocialSecurityNumber,(ii)driver’slicensenumberorstateissuedIDcardnumber,(iii),accountnumber,creditcardnumberordebitcardnumbercombinedwithanysecuritycode,accesscode,PINorpasswordneededtoaccessanaccountandgenerallyappliestocomputerizeddatathatincludespersonalinformation”.294Bakerlawlabeledcaseswithabroaderdefinitionofpersonaldata.Forexample,becausemedicalinformation a password or a taxpayer identification number is included.295Those arelabeled 1. 24 laws have a scope of personal information, which is broader than thegeneraldefinition.

5.2.6 ObligationtonotifytheAttorneyGeneral

AremarkabledifferencebetweenAmericanlawsistheobligationtonotifytheAttorneyGeneral in addition to the personwhose data is breached. The Attorney General is a

291‘StateDataBreachStatureForm’(BakerHostetler,2013)<http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/State_Data_Breach_Statute_Form.pdf>accessed13June2013.292Romanosky(n251)273;EmailwithSashaRomanosky,ResearchFellow,InformationLawInstitute,NewYorkUniversity(9April2013).293BakerHostetler(n291).294Ibid.295Ibid.

69

supervising authority and responsible for settling the procedure and potentialproceduresfordamages.17ofthe50statesrequiresuchanotification.296

5.2.7 Obligationtonotifythecustomercreditreportingagency

Acustomercreditreportingagencyis“acompanythatcollectsinformationfromvarioussources and provides consumer credit information on individual consumers for avariety of uses. It is an organization providing information on individuals' borrowingandbill‐payinghabits”.297Anotificationtothisauthoritycanberequiredbecausetheseagenciesmaintainandcompilepersonalinformationfilesonconsumers.29lawscontainthis obligation. In some states, a company only needs to notify a customer creditreportingagency if theamountof recordsperbreach isabove500or1000residents.Laws that have the obligation to notify the customer credit agency, regardless of thethreshold,arelabeled1.298

5.2.8 Summary

A summary of the independent variables is displayed below. In addition to theindependentvariables,fourcontrolvariableshavebeenconstructed:theGDP,Internetpenetrationrate,thenumberoffirmsandthepopulationperstate.299Description Label Number of laws

(outof50)Maximumsanctioningabove$50k Sanctioning 14StrictnessdefinedbyRomanosky Strict_Romanosky 9Privaterightofaction Private_action 14Widerscopethanthegeneraldefinition Scope_law 24NotifyAttorneyGeneral Not_ag 17NotifyCustomerCreditReportingAgency Not_custcredit 29GDPperstate GDPcap_per_state ControlvariableInternetPenetrationrateperstate Internetpenrate_per_state ControlvariableNumberoffirmsperstate Firms_per_state_0512 ControlvariablePopulationperstate Pop_per_state Controlvariable

Table6:summaryoftheindependentvariables

296SecurityBreachNotificationChart(Perkins,2013)<http://www.perkinscoie.com/files/upload/LIT_09_07_SecurityBreachExhibits2.pdf>accessed4July2013.297ArthurO’SullivanandStevenM.Sheffrin,Economics:PrinciplesinAction.(PearsonPrenticeHall2003),512.298Perkins(n296).299‘USGDP’(USGovernmentRevenue,2013)<http://www.usgovernmentrevenue.com>accessed13June2013;‘Internetpenetrationrate’(PEWInternet)<http://pewInternet.org/Reports/2012/Digital‐differences/Main‐Report/Internet‐adoption‐over‐time.aspx>accessed12June2013;‘FirmsinU.S.states(n280);‘PopulationinU.S.states’(InternetWorldStates,2013)<http://www.Internetworldstats.com/unitedstates.htm>accessed12June2013.

70

Hypothesis1a:lawswithamaximumsanctioningabove$50khaveahigheramountofbreaches.Hypothesis1b:lawswithastrictnessdefinedbyRomanoskyhaveahigheramountofbreaches.Hypothesis1c:lawswithaprivaterightofactionhaveahigheramountofbreaches.

5.3 Hypotheses

Theconstructionofhypothesesisalaststeptowardsexecutingthequantitativeanalysisin the next chapter. In chapter 3, design parameters are distinguished from legalanalysis. In chapter 4, relations between aspects of the law and compliance and theamount of notifications are derived from literature. It was assumed that addressees,scope, sanctioning in combination with enforcement are positively related with theamountofbreaches.Theaimofthischapterwastodrawhypothesesinsuchawaythatthey also have explanatory power for the Dutch and European situation. Thereforeindependentvariablesare clustered to constructhypotheses in the lightof thedesignparameters sanctioning, scope and notification authority. The U.S. laws do not havesignificantdifferencesinthedesignparametersaddresseesandconfidentialtreatment.As such, those two design parameters shall not be tested within this quantitativeanalysis.

5.3.1 Hypothesis1:sanctioning

Literaturereviewshowedthathighsanctions(incombinationwithstrictenforcement)influencethewillingnesstonotify.TheindependentvariablesthatrelatetosanctioningareSanctioning,Private_actionandStrict_Romanosky.StrictnessdefinedbyRomanoskyalsoentailselementsofscope,andthereforeisdiscussedinthelightofhypothesis2aswell.Thishypothesiscanbecriticizedbyopposingarguments.Forexample,thesafetyculture theory says that people and organizations have to be rewarded instead ofpunishedinorderto learnoradmitmistakes.300Theverysuccessful leniencypolicy incompetition lawhas shown that amixof high fines andhigh rewards can incentivizeorganizationstonotifyacartel.301

5.3.2 Hypothesis2:scope

Thehypothesisisthatabroadbreachdefinitioncausesmorenotificationsbecausemorecasesofbreaches fallunder thedefinitionofabreach.Anopposingargument for thishypothesisisthatinterviewssuggestedthatiftheamountofsecuritybreachesthatfallunder the scope is wide, the willingness to notify would be lower because of a

300PatrickHudson,‘SafetyCulture,TheoryandPractice’(CentreforSafetyScience,LeidenUniversity.1999),3<http://ftp.rta.nato.int/public//PubFulltext/RTO/MP/RTO‐MP‐032///MP‐032‐08.pdf>accessed13June2013.301EuropeanCommission‘GuidelinesonthemethodofsettingfinesimposedpursuanttoArticle23(2)(a)ofRegulationNo1/2003(LeniencyPolicy)’[2006]OJL210/02.Organizationsthatprovideinformationaboutacartelinwhichtheyparticipatedmightreceiveimmunityorreductionfromfines.

71

Hypothesis2a:lawswithawiderscopethanthegeneraldefinitionhaveahigheramountofbreaches.Hypothesis2b:lawswithastrictnessdefinedbyRomanoskyhaveahigheramountofbreaches.

Hypothesis3a:lawswithanobligationtonotifytheAttorneyGeneralhaveahigheramountofbreaches.Hypothesis3b:lawswithanobligationtonotifytheCustomerCreditReportingAgencyhaveahigheramountofbreaches.

notification fatigue.302The independent variables Scope and Strict_Romanosky arerelated to the design parameter scope. The strictness variabledefined byRomanoskyincludesaspectsofscopebecause those lawshavea lower threshold forabreachandcoverallentities.Therefore strictnessdefinedbyRomanoskycanalsobean indicatorforscope.303

5.3.3 Hypothesis3:notificationauthority

Some states require a notification to a notification authority. It is assumed that anobligationtonotifytheAttorneyGeneralorcustomercreditreportingagencywillresultin more breaches in the dataset because those agencies are a centrum for datacollection.Thisdoesnotnecessarilymeanthattherearemorebreaches,butthattherearemorebreachesinthedatasetbecausethenotificationauthorityisacentralorganforprocessingthisdata.

302InterviewwithRogierRagetlie,SecurityManager,BrabantWater(‘sHertogenbosch,theNetherlands,25April2013).303ItishardtodeterminewhichaspectofthestrictlawsdefinedbyRomanoskyinfactcauseanysignificantresult,itcouldbeeitherrelatetosanctioningorscope.

72

6 Quantitativeanalysis

Thischapteranalysesthehypothesesformulatedintheformerchapter.TheeffectsofanSBNLareexpectedtobecomplexandthedatasetisflawed.Hence,basicstatisticaltoolssuch as descriptive analysis and means comparison are a reliable approach. Thus, adescriptive and statistical comparison of the means and medians between theindependent variables and the dependent variables is performed. Hereafter, a moreadvanced statistical model, a fixed effects regression, is executed. A fixed effectsregressioncancontrolforvariationsbetweentimeandstates.304

6.1 Comparisonsofmeansandmedians

The hypotheses are first tested by comparing the differences between means andmedians of the amount of breaches for each classification of the law. Therefore, onlycasesof breaches in stateswithan adoptedSBNL in thatparticular year are selected.Onecannotmeasureclassificationsinthelawwithouttheexistenceofthelaw.Theseare297casesoutofthetotalof400cases.Thisisanunbalancedpanelbecauselawsarenotintroduced at the same time. 305 Descriptive statistics are displayed for everyclassification. These are the difference between the average mean and median ofBreaches_per_firm between the laws that have the aspect that is classified and lawswithout this aspect.306The dataset is observed for three periods: the total timespan(between 2005 and 2012), the developing period (between 2005 and 2008) and themature period (between 2009 and 2012). An individual year‐by‐year statisticalcomparisonofmeansprobablywouldnotprovideuswithmuchmoredetails,amongstothers because that the amount of cases would be too low to make any usefulstatements.Thestatisticsofthemedianreflectonthemeanresults,becauseoutliersofstatesthathavealotofbreachesperfirmcanblurthepicture.Hereafter, an IndependentSamplesT‐testandMann‐Whitney testareused toanalyzewhetherrespectivelythemeansandmediansdiffersignificantly.AMann‐Whitneytestcan in most cases be interpreted as a difference in medians.307In most cases, thedependent variable is not normally distributed. In the developing period, the samplesize of some observations is lower than 40. An Independent Samples T‐test is notallowedinthissituation,butthenon‐parametricMann‐Whitneytestis.Beforeanalyzingtheclassifications,theeffectofalawassuch,withouttakingseveralclassificationsintoaccount,isanalyzed.

304Anintroductionofthefixedeffectsregressionisgiveninsection1.4.2ofthisresearch.305Thepanelisunbalancedbecauselawsareadoptedatdifferentperiodsintime.Hence,adifferentamountoflawsareobservedforeachyearinthedataset.306DetaileddescriptivestatisticscanbefoundinappendixC.307TheMann‐Whitneytestisnotanofficialcomparisonofmedians,becauseitcomparesthemeanranks.TherearesituationsthinkablewhereasimilarmediancangiveasignificantoutcomefortheMann‐Whitneytest,ifthedistributionshaveadifferentshape.BecausethetestisusedforaroughanalysisincomparisonwiththesamplesT‐test,thesekindsofexceptionswillnotbetakenintoaccount.

73

6.1.1 Effectofthelaw

Below the means and medians of Breaches_per_firm (and Breaches_per_firm_sel) forHas_laware displayed.308It is clearly visible that there are more notifications in thedatasetwhenthelawisadopted.Database: Allsources SelectedsourcesValue: 0 1 0 1Mean/median Mean Median Mean Median Mean Median Mean MedianHas_SBNL 77 72 55 50 45 37 37 32

Table7:descriptivestatisticsofHas_law(highestmarkedgreen)

Themeanandmedianalsostatisticallydifferonthe.01levelascanbeseeninthetablebelow.Thevaluesofthemeansoftheselectedsourcesarelowerbecausetherearelessbreaches in the database with the selected sources compared with the databasecontainingallsources.Has_SBNL Allsources Selectedsources Parametric Mann‐Whitney Parametric Mann‐Whitney2005‐2012(total) .000 .000 .000 .000

Table8:comparisonofmeansandmediansoftheHas_lawclassification

6.1.2 Testinghypothesis1

Below the means and medians of Breaches_per_firm for the classifications related tosanctioning are displayed. The means and medians of each classification per year isdisplayedinappendixC.Database: Allsources SelectedsourcesValue: 0 1 0 1Mean/median Mean Median Mean Median Mean Median Mean MedianSanctioning 78 72 75 75 56 47 54 53Strict_Romanosky 72 68 99 92 51 48 72 65Private_action 73 66 86 89 53 47 61 60

Table9:descriptivestatisticsofsanctioningrelatedclassifications(highestmarkedgreen)

Thedescriptive analysis shows that thehighestmeanofSanctioning lies at the stateslabeled 0, while the states that are labeled 1 have the highest median. Besides, thedifferences are very small. This suggests that the classification Sanctioning does notgeneratealotofdifferencesintheamountofbreachesinthedatabase.Strict_RomanoskyandPrivate_actionhavehighermeansandmedians forstates labeled1.Thisdirectioncorrespondswithhypothesis1band1c.Thedatasetthat includesallsourcesdoesnotshowadifferentpatternthanthedatasetwithselectedsources.ThefollowingbarchartofStrict_RomanoskyisbasedonthedatainAppendixC.LawsthatarestricteraccordingtoRomanoskyhaveahighermeanandmediancomparedtothelawsthatdonothavesuchastrictness,exceptforthemedianof2007and2012.

308Valuesarerounded.

74

Figure1:barofstrict_Romanosky(allsources,greenisone,leftmedian,rightmean)

The next analysis is a comparison of those means and medians using a parametricIndependentSamplesT‐testandanon‐parametricMann‐Whitneytest.Acomparisonofall the cases covering all the years of data collection has been performed. As said,separate comparisons of means and medians are executed in order to analyzedifferences between the developing period and the mature period. The results areshownbelow.309Sanctioning Allsources Selectedsources Parametric Mann‐Whitney Parametric Mann‐Whitney2005‐2012(total) .510 .916 .616 .5822005‐2008(n=31) .939 .910 .765 .9652009‐2012 .329 .774 .729 .464Strict_Romanosky Parametric Mann‐Whitney Parametric Mann‐Whitney2005‐2012(total) .003 .002 .002 .0012005‐2008(n=21) .169 .138 .133 .0852009‐2012 .007 .003 .008 .007Private_action Parametric Mann‐Whitney Parametric Mann‐Whitney2005‐2012(total) .039 .006 .115 .0172005‐2008(n=30) .618 .267 .289 .0772009‐2012 .049 .012 .232 .096

Table10:comparisonofmeansandmediansofsanctioningrelatedclassifications(significantresultsmarkedgreen)

Theresultsshowthattherearesignificantdifferencesbetweenmeansandmediansonthe 0,01 level for Strict_Romanosky for the total group and the mature period. Themature period containsmore cases, thus ismore likely to influence the total picture,whichcouldexplainthesimilaritiesinresults.Private_actionshowsasimilarpatternfor309Alownumberofcases(n>60)ismentioned.Allotherobservationhaveahighernumberofcases.

75

allthesources,butdoesnotproducessignificantresultsforselectedsourcesexceptfortheMann‐Whitney test.The fact that therearenodifferences in thedevelopingphasecouldbeattributedtothefactthatmost(aspectsofthe)lawsneedacertainperiodtobecomeeffectiveandthatrealimpactcanonlybeobservedafteracoupleofyears.

6.1.3 Testinghypothesis2

Database: Allsources SelectedsourcesValue: 0 1 0 1Mean/median Mean Median Mean Median Mean Median Mean MedianScope_law 77 71 77 74 54 48 56 52Strict_Romanosky 72 68 99 92 51 48 72 65

Table11:descriptivestatisticsofscoperelatedclassifications(highestmarkedgreen)

Thedescriptive analysisof theclassifications related tohypothesis2 shows that lawswithawiderscopehaveslightlymorebreachesperfirmfortheselectedsources.Thisishowevernotconfirmedbythedatabasewithallsources.Thisdatabaseshowsamixedpattern, which indicates no significant difference. The independent variableStrict_Romanoskydifferssignificantly.310Scope_law Allsources Selectedsources Parametric Mann‐Whitney Parametric Mann‐Whitney2005‐2012(total) .944 .910 .727 .5882005‐2008(n=49) .522 .786 .827 .7772009‐2012 .879 .945 .516 .670Strict_Romanosky Parametric Mann‐Whitney Parametric Mann‐Whitney2005‐2012(total) .003 .002 .002 .0012005‐2008(n=21) .169 .138 .133 .0852009‐2012 .007 .003 .008 .007

Table12:comparisonofmeansandmediansofscoperelatedclassifications(significantresultsmarkedgreen)

Thecomparisonofmeansandmediansshowsnosignificantdifference forscope.Thiswasexpectedfromthedescriptivestatistics.Strict_Romanoskycontainsbothelementsofscopeandsanctioning.Thequestioniswhether thescopeor thesanctioningaspectofStrict_Romanosky would determine the significant difference. Based on this data, it ismore likely that its sanctioning aspectwill explain thehigher amountof breaches forlaws that are strict according to Romanosky, because Private_action shows similarresults.

6.1.4 Testinghypothesis3

Hypothesis3showsamajordifferencebetweenthemeansandmediansofthelawsthatdo have the classifications Not_ag and Not_custcredit and the laws without thisclassification.

310Asalreadydiscussedinsection6.1.2ofthisresearch.

76

Database: Allsources SelectedsourcesValue: 0 1 0 1Mean/median Mean Median Mean Median Mean Median Mean MedianNot_ag 71 67 88 84 50 47 65 60Not_custcredit 70 56 82 78 48 41 60 53

Table13:descriptivestatisticsofnotificationauthorityrelatedclassifications(highestmarkedgreen)

The descriptive statistics of Not_ag and Not_custcredit show results that correspondwith the hypotheses. There are, on average, more breaches if these obligations arepresentinthelaw.Not_ag Allsources Selectedsources Parametric Mann‐Whitney Parametric Mann‐Whitney2005‐2012(total) .004 .009 .001 .0012005‐2008(n=39) .091 .063 .076 .0412009‐2012 .024 .066 .005 .014Not_custcredit Parametric Mann‐Whitney Parametric Mann‐Whitney2005‐2012(total) .044 .016 .010 .0022005‐2008(n=48) .209 .032 .109 .0112009‐2012 .159 .199 .042 .054

Table14:comparisonofmeansandmediansofnotificationauthorityrelatedclassifications(significantresultsmarkedgreen)

The parametric t‐test and Mann‐Whitney test show that both classifications rendersignificant differences for thewhole time span. The obligation to notify the AttorneyGeneral is evensignificantat the .01 level.Thepicture is less clear for thedevelopingandmatureperiod.

6.2 Fixedeffectsregression

Thecomparisonofmeanshassomemajordrawbacks,whichcanpartlybesolvedbyafixedeffectsregressionmodel.Thecomparisonofmeansisvulnerablefordifferencesinthe amounts of breach notifications between states that are not caused by thedifferencesbetweenlaws,butbyothervariablesthatareomittedfromtheanalysis.Theanalysis isalsovulnerable foreffectsover time,suchas theeffectof Internetsecurity.Section 5.1.4 discussed for variables that differ between states and controlled for theamountoffirmsperyearbydividingthenumberofnotificationsbytheamountoffirms.However,therearestillmanyvariablesthatdifferbetweenstatesthatarenotdiscussed.Section 5.1.5 discussed the negative feedback effect of Internet security that changesovertime,whichisanomittedvariablefromtheanalysis.Itisimpossibletocontrolforallvariablesthatvaryovertimeorbetweenstates,becauseitisimpossibletoidentifyallpossible variables and to categorize them in a quantitative manner. Moreover, thecomparisonofmeansindicatesroughrelationsbetweenthedichotomousindependentvariablesandthedependentvariable.Astatisticalmodelcanimprovetheinterpretationofthecorrelations.Apossiblesolutionfortheproblemofomittedvariablesisthefixedeffects regression model, a standard econometric tool that is used for longitudinal

77

data.311Themechanismofthefixedeffectsregressionmethodhasbeenexplainedbrieflyinsection1.4.3.

6.2.1 Themodel

Twomodelshavebeenusedtocapturetheimpactoftheclassificationsofthelawontheamountofbreachesperfirm.Thefirstmodeldoesnottaketheadoptionofthelawintoaccount;itfocusesentirelyontheimpactoftheclassificationsofthelawforthemomentthat states had adopted the law. This results in an unbalanced panel.312To acquire asomewhatmore reliablebalancedpanel, thebreaches thatwerecollectedwithout theexistenceofa lawareentered into themodelaswell.313For thispurpose, thevariableHas_law is used and interacted with the classifications of the law. The model isreconstructedfortheindependentvariablesthatturnedouttobesignificant.

Theindependentvariablesaredummyvariables.γs,δtandεsarerespectivelystatefixedeffects,timefixedeffectsandtheerrorterm.314Assaid,thefixedeffectsmodelisabletotake correlations between several years of a law into account. This requires anassumptionabout the structureof the correlationsbetweenoccasions.This called thecovariancestructure.315Outofmanytypesofcovariancestructures,,theautoregressiveand compound symmetry functions are the best candidates to fit the data.316Theautoregressive structure is themost commonly used structure in these kinds of fixedeffect regression and therefore used in the model.317 The model below displays the

311InterviewwithThijsUrlings,AssistentProfessor,InnovationandPublicSectorEfficiency,DelftUniversityofTechnology(Delft,theNetherlands,3May2013).312Thepanelisunbalancedbecauselawsareadoptedatdifferentperiodsintime.Hence,adifferentamountoflawsareobservedforeachyearinthedataset.313Ibid.314Verbeek(n84)345‐347.315RonaldH.Heck,MultilevelandLongitudinalModelingwithIBMSPSS(Routledge,2010)163,164.316Compoundsymmetryassumesequalvariancesandequalcovariancesacrossoccasionsthatareconstantovertime.Theautoregressivecovariancestructureassumesthattheresidualcovariancesbetweenmeasurementoccasionswithinsubjects(=states)arecorrelatedbutdeclineexponentiallywiththedistance. Hence,thesestructuresarefairlysimilar.317ChuckKincaid‘GuidelinesforSelectingtheCovarianceStructureinMixedModelAnalysis’(SUGI,10April2005)30<http://www2.sas.com/proceedings/sugi30/198‐30.pdf>accessed13June2013.

Model1:unbalancedpanel(297cases)Breaches_per_firm(_sel)=β0+βSanctioning+βStrict_Romanosky+βPrivate_action+βScope_law+βNot_ag+βNot_custcredit+γs+δt+εsModel2:balancedpanelwithHas_SBNL(400cases)Breaches_per_firm(_sel)=β0+βHas_SBNL+βHas_SBNL*(βSanctioning+βStrict_Romanosky+βPrivate_action+βScope_law+βNot_agβNot_custcredit)+γs+δt+εsAlternativedependentvariablesBreaches_per_firm_sel/Log_breaches/Log_breaches_sel

78

coefficients and significance of the independent variables. The SPSS mixed modelsproceduredoesnotproduceanR‐squaredstatistic,because“definitionsforanR‐squareforbecomeproblematic inmodelswithmultiple error terms”, causedby themultiplemeasurements.318Each model is repeated for the independent variables that weresignificantinthemodel.Thisiterationisdisplayedaftertheslash.Independentvariables(effect for=0)

Breaches_per_firm[Firstrun]/[Repeated]

Breaches_per_firm_sel [First run]/[Repeated]

Balanced Unbalanced Balanced Unbalanced

Has_SBNL ‐41.7***/‐79.6***

Not analyzed -20.3/-37.4*** Not analyzed

Sanctioning ‐ - - -

Strict_Romanosky ‐17.3** /‐28.5***

-18.5*/-28.4*** -12.5*/-20.4*** -13.1*/-16.8***

Private_action ‐ - - -

Scope_law ‐ - - -

Not_ag ‐ - - -12.0**/-9.8*

Not_custcredit ‐ - - -10.9**/-

Constant 95.3***/95.9*** 96.6***/97.1*** 68.9***/68.9*** 69.5***/75.5***

Observations 400 297 400 297

Numberofstates 46 50 46 50

Significance:***p<.01;**p<.05;p<.1;‘‐’p>.1

Table15:resultsofthefixedeffectsregressionmodel

Theresultspartlyconfirmthe insights fromthecomparisonofmeansbutalsodisplaydifferences.Theadoptionofalawdoeshaveasignificanteffectontheamountofbreachnotifications, as expected. This confirms the significant differences in means andmedians that were found in section 6.1. The absence of a law results in a reductionbetween on average 79.6/95.9=83% and 37.4/68.9=54%. Strict_Romanosky has asignificant impact on the amount of breaches per million firms in a state just as insection6.1.2.Thecoefficientsreflecttheeffectfortheabsenceoftheclassification,whichiswith label ‘0’.Therefore, theparameters in themodelhaveanoppositesign.Hence,statesthatarenotlabeled1forStrict_romanoskyperformworseregardingtheamountof breaches. It is notable that their relative impact is almost exactly the same for thedatabasewith all sources and selected sources.The absence ofStrict_romanosky lawsreduces the intercept with 28.5/95.9=29.7% for all sources and selected sources20.4/68.9=29.6%.BothSanctioning andScope_law donothave a significant impact inthemodel. This also correspondswith the findings in the comparison ofmeans. But,Private_action, Not_ag and Not_custcredit, which partly had significant resultsconcerningthemeanscomparison,arenotsignificantinthismodelexceptforNot_aginthe unbalanced selected sources dataset.319This can be caused by the fact that states

318‘R‐squarestatisticsinSPSSMixedModels’(IBMsupport,9July2011)<http://www‐01.ibm.com/support/docview.wss?uid=swg21481012>accessed13June2013.319Exceptfortheunbalancedmodelwithselectedsources,butthisonlyresultsinNot_agbeingsignificantonthe0.1level,whichcannotberegardedasapowerfulresult.

79

with these laws already had a higher amount of breaches at the start of themeasurements,whichcannotbeattributedtothisparticularaspectofthelaw.Contraryto the comparison of means, the fixed effects regression controls for these kinds oferrors. Furthermore, the balanced and unbalanced panels and the database with allsourcesandthedatabasewithselectedsourcesperformquitesimilar.

6.2.2 Robustnesscheck

Robustnesscheckshavealreadybeenmadebyconstructingbothabalancedpanelandan unbalancedpanel, and by running themodel for both the dataset that includes allsources and the dataset that only includes selected sources. In addition to that, thedependentvariable is transformedto the logarithmic transformationof theamountofbreaches,thuswithoutdividingbythenumberoffirms.Thelogarithmictransformationofthenumberoffirmsisusedasacontrolvariableinthemodel,becausethisvariablevaries between states and over time and cannot be filtered by the fixed effectsregression.Theoutcomeforthealternativemodelisdisplayedbelow:Dependent variable(effectfor=0)

Log_breaches Log_breaches_sel

Balanced Unbalanced Balanced UnbalancedHas_SBNL ‐/.86*** Notanalyzed ‐/‐.58*** NotanalyzedSanctioning ‐ ‐ ‐ ‐Strict_Romanosky ‐.25*/‐.33* ‐.26**/‐.34*** ‐.22**/‐.24** ‐.22**/‐.25**Private_action ‐ ‐ ‐ ‐Scope_law ‐ ‐ ‐ ‐Not_ag ‐ ‐ ‐.20**/.19** ‐.19**/‐.18**Not_custcredit ‐.16*/‐ ‐.16* ‐ ‐Log_firms0512 .88***/.88*** .92***/.92*** .85***/.86*** .89***/.87***Significance:***p<.01;**p<.05;p<.1;‘‐’p>.1

Table16:robustnesscheckfixedeffectsregression

Mainly Strict_Romanosky is able to hold the robustness check, being significant at onaveragethe.05level.Itisnotsurprisinglythatthenumberoffirmsishighlysignificant.This corresponds with the high correlations found in section 6.1.1.Not_ag producessome significant results at the .05% level for the datasetwith the selected breaches.Hence,Not_agisfairlyrobustontheunbalancedselectedsourcesmodel.

6.3 Verification&validationofthequantitativeanalysis

6.3.1 Verification

Theanalysishasvariouslimitations,whicharepartlytackledbytheapproachfollowed.First, the representativeness of the dataset is hampered.The amount of breachespercase is relatively low. In addition to that, the dataset is constructed out of multiplesourcesthatarenotmutuallyexclusiveandrepresentative.Thoselimitationshavebeendiscussedinchapter5. Inordertotacklethelatterproblem,thedatasethasbeenrunseparately for two relative representative selected sources. In addition to this, fixedeffectsregression,asophisticatedstatisticaltool,requirescompletedata.Giventhelist

80

of assumptions and the low representativenessof the dataset, there is a risk of over‐interpretingtheresults.Second,therearemultiple inherentlyomittedvariablesthatcanchangeovertimeandbetween states. In themeans comparison, this limitation ismitigated by separating adevelopingandamatureperiodandbycontrolling for thenumberof firms inastate.This issue is treated more thoroughly in the fixed effect regression. This methodcontrols for stateand timedifferences.However, the fixedeffects regressiondoesnotcontrol for variables that differ between states and over time simultaneously. Forexample,Internetsecuritycanvarybetweenstatesbutalsoovertime.Theresultsthusshould be treatedwith care. However, the results that have proven to be robust areexpectedtoexplaintheeffectsofAmericanSBNLs.

6.3.2 Validation

TheaimofthischapterwastolearnfromtheavailableAmericandatainordertomakerecommendationsfortheEuropeanandDutchlegislativeproposals.ApplyinginsightsoftheAmericanquantitativeanalysisandthestructureofAmericanlawstotheothersideof the Atlantic is a question of legal transplantation.320Laws have been transplantedsince theRomanages, at the timeof thecodex Justinianus.321Nowadays, globalizationandtheavailabilityofinformationincreasedthespeedoflegaltransplantation.Acornerstoneconceptoflegaltransplantationisthatthelawanditseffectsprobablybetterfitsifitstandsalonefromthelocalculture.The performed quantitative analysis of the American situation has (some) externalvalidity for the European Union. The American laws have more similarities with theEuropeanPDPRthanthePCD.TheAmericanlawsandthePDPRfocusontheprotectionof personal data and both can impose heavy sanctions. But still, there are alsomajordifferences. For instance, the claim culture in the United States differs from theEuropeanUnion.CompaniesintheU.S.arepossiblymorereceptiveforhighsanctionsintheU.Sandwillnotifyearlier.322Thus,therearespecificculturalelementsembeddedinthe results of American data analysis. On the other hand, the cross border effect anduniversalityoftheInternetandInternetinsecuritysuggeststhatthedataanalysiscanbetransplantedtotheEuropeansituationtosomeextent.

6.4 Conclusions

Theaimof thischapterwas to test thehypotheses formed in the formerchapter.Thepresent data is not ideal, but nevertheless there are conclusions to make about theeffects of an SBNL on the amount of breaches in the dataset. Several analyses for(multipleintersectionsof)thedatasethavebeenmade.Theconclusionsdependonhowstrictonewantstointerprettheresults.

320AlanWatson,LegalTransplants,AnApproachtoComparativeLaw(SecondEdition,UniversityofGeorgiaPress,1994).321MartindeJong,KonstantinosLalenisandVirginieMamadouh,TheTheoryandPracticeofInstitutionalTransplantation(Kluwer,2002),281.322InterviewbyemailwithArnoudEngelfriet,AssociateatICTrecht(3May2013).

81

First, the adoption of a law clearly relates tomore security breaches in the database.This isconfirmedbyboth themeanscomparisonandthe fixedeffectsregression.TheabsenceofanSBNLresultsinonaveragebetween83%en54%decreaseoftheamountofsecuritybreachesinthedatabase.Thedatabase ispartlyconstructedbyunderlyingsources that only register officially notified breaches, which can explain this highrelativeincrease.Second, the laws that aredefined strict byRomanoskyarequiteundisputedly relatedwith a higher number of breaches, both in the fixed effects regression and thecomparisonofmeans.323Theexplanationforthiswouldlieinthefactthattheadoptionofalawcausedsecuritybreachnotificationstoflowintothenotificationsystemandthatstricterlawsgivemorerationalincentivesforcompliance.Unfortunately,theunderlyingeffect of the variable strictness is less clear, because it consists of multiplecharacteristics.Third, there are independent variables that did not stand the entire statisticalprocedure.Itcouldbedoubtedwhethertheseclassificationsofthelawhaveaneffect.LawsthatallowedforaprivaterightofactionorhadanobligationtonotifytheAttorneyGeneral or the Customer Credit Reporting Agency were positively associated withhigherlawsinthecomparisonofmeans,butcouldnotstandthefixedregressiontest.Fourth,itisclearthatlawswithasanctionhigherthan50000dollarandawiderscopethan thegeneraldefinitiondonotdiffer in theamountofnotificationscomparedwithlaws that did not have those properties. Hence, this is an clear rejection of thehypothesis that high sanctions or a broad scope do have an effect on compliance.However,thisrejectioncanpartlybeattributedtowaythisthesedesignparametersareconstructed. Within Sanctioning for instance, laws with sanction higher than 50000dollarareseparatedfromlawsthatdidnotimposesuchasanction.However,somelawsdonothaveapredefinedsanction,buttheselawspotentiallyleaveopenthepossibilityto impose sanctions above 50000 dollar.Moreover, some laws also allow for privaterightofaction,whichcanincreasethetotal‘sanction’thatcanbeimposed,whichisnotincludedinthisvariable,butintheseparatePrivate_actionvariable.

323Because“theyareacquisition‐based(forcingmoredisclosurefromalowerthresholdofbreach);coverallentities(businesses,databrokersandgovernmentinstitutions);andallowforaprivaterightofaction(i.e.,individualorclassactionlawsuits)”(Romanosky(n255)273).

82

7 Qualitativeanalysis

ThequalitativeanalysisreviewstheperceptionofDutchsecurityexpertsandmanagersregarding the first and secondorder effect andoutcomesof thequantitative analysis.First,therespondentsareaskedfortheeffectsofSBNLs.Second,theresultsofliteraturereview and quantitative analysis are presented anddiscussed.Third, the respondentshavereflectedontheapproachofmeasuringeffectiveness inthequantitativeanalysis.Fourth,therespondentsalsoreviewedtheproposedDutchandEuropeanSBNLs

7.1 Expertsinterviewed

Two types of respondents have been interviewed: information security experts andsecuritymanagersofcompanieswithacomplexcomputerdefensesystem.Becausethequalityoftheanalysisstronglydependsontheknowledgeoftherespondentsrelatedtothespecificthemethefollowinglistofcriteriaisappliedtoselectthem.

Basedonthesethreecriteriathefollowingrespondentsareselected,asisrepresentedinthetablebelow.Assaid,adistinctionismadebetweenexpertsandsecuritymanagers.Name Position Type Interview

durationMr.R.Prins DirectorandfounderatFoxIT(a

cybersecurityconsultancycompany)

Expert 1h

Mr.R.Ragetlie RiskmanageratBrabantWater(awaterutilitycompany)

Securitymanager

1h

Mr.A.Engelfriet AssociateatICTrecht(alegalICTconsultancycompany)

Expert (interviewbyemail)

Mr.W.Vrijssen ChiefTechnologySecurityOfficeratVodafone(atelecommunicationsprovider)

Securitymanager

1h

Table17:listofrespondents

BothVodafoneandBrabantWater fallunder theDutchSBNL initiative. Inaddition tothat,VodafonehastocomplywiththeDutchimplementationoftheE‐privacyDirective,whichisthepredecessoroftheproposalforageneralSBNLinthePDPR.324Thesecurity

324Article4(2)ofDirective2009/136/EC;Article11.3aTelecommunicatiewet(Telecommunicationlaw).

1.)TherespondentmusthaveextensiveexperienceinInternetsecurityand/orInternetlaw.(10year+orrecentlyeducated).2.)TherespondentmustpossessakeyInternetsecurityand/orInternetlawrelatedposition.3.)TherespondentmusthaveknowledgeaboutSBNLs.

83

managerscanthusgenerateinsightsontheirperceptionoftheDutchandtheEuropeaninitiative.

7.2 Results

First, theperceptionof incentives for complianceof respondents isdisplayed.Second,the respondents reflected on the quantitative analysis and the dataset. Third, therespondentshavegeneratedexpectationsonthesecondordereffectofSBNLs.

7.2.1 Firstordereffect

Theconsiderationforcomplianceismainlyperceivedasacostbenefitanalysis,althoughthe experts interviewed alsomention social responsibility as an incentive to complywith SBNLs. The security managers stated that they would comply with the lawvoluntarily, according to the logic of appropriateness. The experts confirmed that,probably, a part of the companies would comply voluntary. However, if a companybelieves that theavoidanceof fines ispossible, theyhavea strong incentive to fix theleakinternallywithoutdisclosure.OneexpertnotesthatitisunlikelythattherearealotofvoluntarynotificationsintheUnitedStates,becauseoftheclaimculturethatexists.Theconcurringopinionofalltherespondentsisthathighsanctionsincombinationwithstrict enforcementwill provide themost important incentive for compliance. As onerespondent puts it, a risk to get imposed a fine of possibly 2% of the turnover of acompany [in the European situation] “will be discussed on board level”. Respondentsmentionedenforcementofsanctionsasanimportantdriverforcompliance,forexampleintheformofsecurityaudits.AsecuritymanagerhadexperiencewithfriendlyauditsofthesupervisorconcernedwiththeSBNLinthetelecommunicationsectorandperceivedthisauditpositivelybecauseitcausedincreasedawarenessofsecurityatemployeesandthe optimizations of security processes. Another expert put forward an example ofDutch consumer law to demonstrate the effect of enforcement. Compliance in Dutchconsumer law increased according to this expert after the supervisory authorityconcernedactuallyimposedfines.It isconfirmedbyall therespondents thatreputationdamage isamajor incentive fornon‐compliance.Thepublicationof the impositionof thesanction in themedia isalsoexpectedtohaveanadditionalnegativereputationalimpact.Therespondentshoweveralsonote thatmajor securitybreacheshave large likelihoodofbeingpublished in themediabeyondthecontrolofacompany.Asecuritymanagerimposesthehypothesisthatsmall breaches will not be notified and that large breaches will be notified. Largesecuritybreachesareregardedtohaveahighlikelihoodtobepublishedinthemedia.

7.2.2 Reflectiononquantitativeanalysisandthedataset

The respondents formed the following opinions on the effects of the independentvariablesofthequantitativeanalysis.Theindependentvariablesanctioningisexpectedto have the most impact on the amount of notifications, which contradicts theobservationsinthequantitativeanalysis.Somerespondentsalsoexpectaprivateactionpossibilitytohaveaneffect.However,thereisariskperceivedthatcompaniesarenot

84

abletorespondtomajorclaimsandgobankruptk,whichisnotbeneficialforthesystem.Anincreasedscopeisexpectedtoincreasetheamountofbreaches.Therespondentsidentifiedseveralproblemswithmeasuringeffectsinthequantitativeanalysis,whichplacestheobservationsintoperspective.Thefactthatitisunknownhowmanycompaniesarenon‐compliantismentionedfrequentlyasabarriertovaluingthenumberofcompliantcompanies.Moreover,thetermbreachisquestionedasaproxytomeasure effectiveness, as there are multiple variables that influence the number ofbreachnotifications. Thenumberofbreaches isexpectedtodecline if theSBNLhasapositive effect on Internet security or because criminals shift their businesses.Moreover, a breach does not contain information about its severity and the extent towhichacompanylostcontrol.Alltherespondentsexplaintherepresentationof0.05%oftheAmericancompaniesinthedatasetbybothincompletenessandnon‐complianceofcompanies.Accordingtotherespondents, a multiple of the American companies must have perceived a loss ofpersonal data between2005 and2012.The ideaperceived by all respondents is thatcybercrime is daily business and that the main characteristic of cyberthreats is itsuniversalityinbeingathreatforalltypesofbusinesses.The respondents list several attributes of a breach that have to be processed in adatabase to make an enhanced analysis for future research. These involve thecharacteristics of the data theft and the amounts of personal data that are stolen.Moreover, it is important to know whether there is damage or potential damage ifintegrity is lost.Overall, respondentsare interested indetaileddescriptionabouthowthebreachoccurredandtheindustryinwhichthebreachedtookplace.

7.2.3 Secondordereffect

Experts regard insights in the scopeof the Internet securityproblemand itsnegativeeffects on society as a positive effect. Moreover, respondents perceive that an SBNLgeneratesanincentivefororganizationstoincreasesecuritypracticesinordertoavoidreputational damage (see also the sunlight as disinfectant mechanism, discussed insection4.2.).Thepossibleassistanceofacapablegovernmentthatassistsinmitigatinglossesafterasecuritybreachisalsoperceivedaspositiveeffect.AnexpertnotesthatanSBNLpossiblyhasanegativeeffectonInternetsecuritybecausethefocusoftheSBNLliesonthenotificationofbreachesandnotontheimprovementofsecurityassuch.Heproposesasanctiononbadsecuritypracticesitselfinsteadofnon‐compliancewithanotification law.Anotherexpert states that the juridificationof theproblemcanbeapotentialthreat.Theadministrativeburdentocomplywiththelawisalsoperceivedasanegativeeffect.

85

7.2.4 ReviewoftheDutchinitiative,thePDPRandthePCD

Bothexpertsaswellassecuritymanagersnotedthatclearandnottoobroadlegislationarepreferred.Thesecuritymanagersdiscussedthe‘vaguelydefined’criterionofsocietalshock of the Dutch initiative.325According to them, a loss of integrity “must be adeviation from the normal situation”. Hence, the ‘significance’ of a significant loss ofintegrity breach in Article 14 PCD must be clearly defined. The obligation to notifyinsignificant security breaches is perceived to create an unnecessary administrativeburdenforcompanies.Securityexpertsurgetoincludeboththelossofintegrityaswellasthelossofpersonaldatainthedefinitionofabreach.Ifthegovernmentwantstoimposeanobligationtonotifysecuritybreaches,theymusthavesubstantiveexpertiseinmitigatinglossesandexchangeinformation.But,securitymanagers do not regard the current role of the (Dutch) government as a center forinformationexchangeandcontrolaseffective.Thegovernment, forexample,currentlydoes not share information about personal data breaches in the telecommunicationsector.Inadditiontothat,thegovernmentisinertinprocessingtheinformationgainedfromthesecuritybreachnotificationsintousefulstrategies.Moreover,therearedoubtsconcerningthetechnicalexpertiseofthegovernment.Securitymanagersperceiveconfidential treatmentasaminor incentive.This ispartlyattributedtothefactthatpublicdisclosurerequestscanrenderaconfidentialtreatmentincompatible in the Netherlands. Experts perceive a relationship of trust with thesupervisoryauthoritypossiblyasanincentiveforcompliancewiththelaw.Apartofthisrelationship is the assistance of the supervisory authority. It is hard to establish arelationshipoftrustifthesupervisoryauthorityalsoisresponsiblefortheimpositionofsanctions.Asecuritymanagernotedthatarelationshipoftrustbetweencompetitorsisofmuchmoreimportancetostimulateinformationexchangethanadegreeoftrustwiththesupervisoryauthority.TheDutchinitiativeandthePCDdonotimposesanctions.Moreover,thereisambiguityabout the scope of ‘societal shock’ and ‘significance’ respectively.326Furthermore, therespondents perceived limited auxiliary potential of the Dutch government and theEuropeanUnion.Thisprovidestheimageofalawthatispotentiallyineffective.Asoneexpert puts it: “one does not need a law that contains an obligation to notify the firedepartment if yourhouse is on fire”.Hemeant that voluntary compliancewouldonlyexistwhenanotificationisbeneficialforthecompanythatnotifies.The sanctions of the PDPR are expected to provide incentives for compliance.Enforcementofabreachisimportantinthisrespect.AdisadvantageofthePDPRisitsbroadscope.ThePDPRcoversallkindsofpersonaldatathatcanimposeanunnecessaryadministrative burden on companies.327The absence of a loss of integrity breachobligationcausesimportantbreachestofalloutsidethescopeofthelaw.

325Seesection3.2.3ofthisresearch.326Seesection3.3.3ofthisresearch.327Ibid.

86

7.3 Conclusions

The respondents regard that both the logic of consequences and the logic ofappropriateness plays a role in incentivizing companies to complywith the law. Thelogicofconsequencesisregardedasthestrongestdriver.Accordingtotherespondents,themaincostbenefitdecisionistobalanceenforcedsanctionswithexpectedreputationdamage.Itisinterestingtoseethattheinterviewedsecurityofficersofthecompaniesdonotseeanyproblemstocomplywiththelawfortheirowncompany,butdoestimatethatalotofcompanieswillnotcomplybecauseofpossiblereputationdamage.Theimplicationofthisisthattherealbehavioroforganizationstomakeanotificationconsiderationisnotentirelyrevealed.The second order effects associated with SBNLs largely correspond with effectsdistinguishedinliterature.

87

Partγ:synthesisandconclusions

Inpartγ,theresultsofthethreetypesofanalysisofpartβaresynthesized. Thisresultsinaconceptualframeworkandacomparisonoftheeffectsanalyzedin

partβwiththeaimsofthelegislation,analyzedinpartα. Hereafter,theconclusionsandrecommendationsoftheresearcharepresented.

88

8 Synthesisofliteraturereview,quantitative&qualitativeanalysis&theaimsoflegislation

Chapter4concernedeffectsin literature,chapter5&6concernedeffects inAmericandataandchapter7 concerned theperceptionofeffectsbyDutchsecurityexpertsandmanagers. This chapter will place the three perspectives on effects of SBNLs inconjunctionwitheachother.Asaresultofthissynthesis,aframeworkisintroducedthataimstogiveanoverviewofthemechanismsrelatingtothefirstordereffectofanSBNL.Apartfromthis,theeffectsarecomparedwiththeaimsofthelegislation.

8.1 Firstordereffect

Literature research showed that there are various incentives for compliance withSBNLs. Reputation damage affects compliance negatively. Sanctioning, benefits ofinformation sharing, appropriateness of the law confidential treatment by thenotificationauthorityaffectcompliancepositively.The experts and security managers in the qualitative analysis distinguish the sameincentivesforcomplianceasidentifiedin literature.Theaddedvalueofthequalitativeanalysis is twofold.First, thequalitativeanalysiscangivean indicationof the relativeimportanceoftheincentivesinliterature.Second,thequalitativeanalysiscanreflectonthe results found in the quantitative analysis and the methods applied to measureeffectiveness.Thequalitativeanalysisshowstheimportanceofsanctionsandreputationdamage. Confidential treatment by the notification authority, if applicable, is notperceivedasamajordriverforcompliance.Benefitsofinformationsharingarealsonotperceivedasamajordrivertocomply.Voluntarycompliance,accordingtothe logicofappropriatenessontheotherhandisperceivedasamajordriver.ThefirstordereffecthasbeenprovedempiricallybyAmericandata inthisstudy.Thelawshaveaneffectontheamountofbreachnotifications.Theeffectisrelativelylarge:anotification increase of at least 50% can be attributed to the law by a fixed effectsregressionanalyzingdifferencesinbreachnotificationbeforeandaftertheintroductionofthelaw.Thedatabaseispartlyconstructedbyunderlyingsourcesthatonlyregisterofficially notified breaches, which can explain this high relative increase. From anabsolute perspective, the effect isminor: less than 0.05%of the companies notified asecuritybreachinAmericaintheeight‐yearperiodthatwasresearched.Tocompare:ArecentstudyintheUnitedKingdompublishedthat88%ofthecompaniessearchedhadexperienced data theft in 2009. The low absolute effect could be explained by theincompletenessof thedataset,highcompliancecosts foracompanydue toreputationdamageandunawarenessofbreaches.Theadoptionofthelawthushasastructuralfirstordereffect,atleastinthedatabaseofknowsecuritybreaches.Itishoweverambiguouswhichaspectsofthelawprovidethiseffect.Literatureandqualitativeanalysisshowedthatenforcedsanctionsgeneratecompliancewiththelawandthatreputationdamageisa major driver for non‐compliance. Confidential treatment of the notification andbenefits from information sharing about security breaches are perceived as minorincentivesforcompliance.ThequantitativeanalysisonlyconfirmedthatsomeAmerican

89

lawsqualifiedasstrictbyAmericanAttorneyscauseanincreaseinnotifications,butitisambiguouswhatexactlymakestheselawsstrict.The expected effect of high sanctions in literature and qualitative analysis is notconfirmedinthequantitativeanalysis.Although,thevariablesanctioningisnotaperfectproxy for enforced sanctions, there was no difference observed for the amount ofnotificationsforlawswithhighsanctionsandlawswithout.Thiscanbeexplainedbythefactthat,eveninthecaseofhighsanctions,thecostofcomplianceisstillhigherthanthecostofnon‐compliance,becausereputationaldamageishigh.Analternativeexplanationfortheabsenceoftheeffectofsanctionsisthatsanctionsarenotanimportantdriverforcompliance, contrary to the views in literature and expert interviews. Thiswould beunlikely, since sanctions are regarded as one of the most important drivers forcompliance.Theresultsofthequantitativeanalysisareinterpretedconservatively.Ifonewouldonlytake the comparison ofmeans into account for drawing conclusions, a private actionpossibility and obligations to notify the Attorney General and customer credit reportwouldpositivelyaffectthenumberofbreachesinthedatabase.Thisisalsosupportedtosomeextend in the fixedeffects regression.Stricter lawsaccording toRomanoskyarerelated to a higher amount of notifications, but it is ambiguous which aspectmakestheselawsstrict,becauseAmericanattorneysspecifiedthisclassification.

8.1.1 Synthesis

Theempiricalresearchhasshownthattherearevariousincentivesforcomplianceandthatthereisafirstordereffectofnotifications.WhatistherelevanceofthisanalysisfortheproportionalitytestofArticle31PDPRandArticle14PCD?Thefirstordereffectisnottheaimofthelegislation,butaprerequisiteforasecondordereffect.Theanalysisofthefirstordereffectprovidesthefollowinginformation.

The aim of the analysis of the first order effect was to create insights in theconsideration to comply with SBNLs. If the incentives for compliance are known,legislationcanbedesignedtooptimizecompliance.Therearemanyincentivesandtheirrelativeimportancevaries.However,theproblemremainsthatthecurrentoutcomesofthe quantitative analysis cannot falsify the existence of suggested incentives. It isunknownwhetherthesecuritybreachesthathavebeennotifiedarenotifiedbecauseofa cost benefit analysis or because of the logic of appropriateness. Although it isreasonabletoexpectthattherearemanysituationswherethecostofanotificationwillbehigherthanthecostofnon‐compliance,thisisonlyaroughestimationthatdoesnot

1. Thereisanrelativehighincreaseinnotificationsaftertheadoptionofalaw2. Thereisanabsolutelownumberofnotifications.3. Representativedataisimportantformeasuringthefirstordereffect4. Literaturereviewshowsthatenforcedsanctionsarebalancedagainst

reputationdamagebutthelogicofappropriatenessalsoplaysarole.5. InAmerica,theheightofasanctiondoesnotplayarole.

90

applytoallsituations.Forinstance,thefinancialimpactofreputationdamagecanvarysignificantly.Toillustratethis,thefollowingscenariosareallexplanationsforthefirstorderbehaviorthatresultsinnotifications.

Becauseitisstillunclearwhatdrivesacompanyincomplyingwiththelaw,itishardtomakerecommendationsonoptimizingthedesignofthe lawto increasetheamountofnotifications.

8.1.2 Theconceptualframeworkofthefirstordereffect

There is uncertainty concerning the exactdriversof theobservedbehavior.However,thedistinguishedmechanismscanbeoutlined ina conceptual framework.TheaimoftheconceptualframeworkistoprovideanoverviewofthevariablesthatinfluencethefirstordereffectoftheSBNL.Theconceptualframeworkisbasedonthesynthesisoftheeffectsinliterature,quantitativeandqualitativeanalysis.Thecentralelementintheconceptualframeworkistheamountofnotificationsthataregeneratedbyanotificationlaw.Thenotificationauthorityadministratestheamountofbreaches,andthereforetherearemorebreacheslikelytobeincludedinthedatabaseifanotificationauthorityispresent.Theamountofnotificationscanbeinfluencedbythewillingnesstocomplyandtherangeofthelaw.Thewillingnesstocomplyisinfluencedbyincentivesforcompliancewiththelawthatare discussed in section 4.2. Sanctioning, enforcement and confidential treatment aredesign parameters of the law that affect the willingness to comply positively. Thewillingness to comply is negatively influenced by reputation damage caused by asecuritybreachnotification.Thisisanegativefeedbackeffect.IncreasedInternetsecurityasaresultofthelawcaninfluencecompliance.Acompanyperceives benefits of information sharing and will increasingly value the law as

Scenario1:Companiesthatcomplyfollowthelogicofappropriateness.Therestofthecompaniesdo not comply because the cost of compliance is higher than the cost of non‐compliance.Scenario2:Companiesdonotcomplyaccordingtothelogicofappropriateness.Somecompaniesdocomplybecausethecostofcomplianceislowerthanthecostofnon‐compliance.Othercompaniesdonotcomplybecauseofanegativecostbenefitanalysis.Scenario3:Companiesareonlycompliantifthepublicationofanotificationisinevitable,becausecustomersaredirectlyaffectedbyalossofavailability,orbecausethirdpartiesintenttopublishthedataofcustomers.

91

appropriate. This is a positive feedback effect on the amount of notifications flowingfromaSBNL.Thedesignparametersscopeanaddresseesareexpectedtoinfluencetherangeofthelaw.Anincreasedscopeofthelawincreasestheamountofnotificationsthatfallunderthelaw.Ifthelawcoversmoreaddresses,therearemorecompaniesthatfallunderthelaw.Furthermore, the improvement of security by SBNLs, discussed in section 5.1.5 and7.2.3,resultsinlesssecuritybreachesandthusfewernotificationsthathavetobemade.A notification law initially thus would result in an increase of notifications, becausedisclosureisforced.EnhancedInternetsecuritywillhaveanegativefeedbackeffectontheamountofnotifications.328

328Seesection5.1.4ofthisresearch.

Securitybreachnotifications

(Perceived)Reputationaldamage

Sanctioning Design parameters of the law

WillingnessofacompanytocomplywithanSBNL

Securitybreacheswithintherangeofthelaw

Enforcement

Scope Confidentialtreatment

+ +

Internetsecurity

+ ‐

+ +

+

+

+

‐

‐

‐

Addressees

Securitybreaches

+

‐

Figure15:conceptualframeworkofthefirstordereffect

+

92

8.2 Secondordereffect

ThesecondordereffectofSBNLsisassessedinliteratureandqualitativeanalysis.Therearepositiveandnegativeeffectsperceivedinbothliteratureandinterviews.Thequalitative studydemonstratedseveralpositive secondordereffectsperceived inliterature and by security managers and experts, such as increased investments insecurity, fostered cooperation between companies (literature only), increasedawarenessofconsumersof securitybreachesand faster riskmitigation.However, thepositive effects can be nuanced. The security managers interviewed already sharedsecurityinformationwithcompetitors,anddidnotseeanincentiveforcooperationwiththegovernmentfollowingfromasecuritybreachnotification,becausetheydidnotvaluethe government as a center of expertise. Moreover, a security expert challenged theeffect of increased investments in security because the law provides an incentive tonotify,notto improvesecuritypractices.Acceptingthe ‘risk’ofanotificationmightbelessexpensivethanimprovingsecuritypracticesinordertoavoidnotifications.Thisishowever not confirmed in literature review or by other qualitative analysis, whichimplicatesthattheriskofnotproviding incentivesto improvesecuritypracticesatallmustbeperceivedaslow.Lastly,anincreasednumberofsecuritybreachnotificationsmightresultinanoverloadofinformation,whichcouldalsoresultindisinterestandanotificationfatigueinsteadofenhancedawarenessandriskmitigation.Thisoverloadisnotabigtreatgiventhecurrentlowamountofnotifiedsecuritybreaches.Forinstance,inAmerica,about600millionrecordswerebreachedintheeightyearperiodobserved.Thiswouldentailthat,onaverage,anAmericancitizenwouldbenotifiedtwiceineightyear.

8.3 EffectsversusaimsoftheEuropeanSBNLs

The analysis conducted in part β rendered knowledge about effects of SBNLs. Theseeffects are rendered in order to substantively answer the questions about theeffectiveness of SBNLs. SBNLs are effective if they are suitable to achieve the aimspursued.Effects Order Lit Qual Quan RelationwithlegislationEnforcedsanctions

1st

V V X Reputationaldamage V V ‐ Appropriateness V V ‐ Benefitsinf.sharing V V ‐ Confidentialtreatment X V ‐ Overallfirstordereffect ‐ V V Fasterriskmitigation

2nd(positive)

V V ‐ AimPDPR:enhancepersonaldatacontrolofindividuals.

Increasedawarenessconsumers

V V ‐ AimPDPR:trustinthedigitalenvironment

Increasedsecurityinvestments

V V ‐ AimPCD:createacultureofriskmanagement

Fosteredcooperation V X ‐ AimPCD:enhanceinformationexchangebetweentheprivateandpublicsectors

93

Reputationalcostsforcompanies

2nd(negative)

V V ‐

Compliancecostsforcompanies

V V ‐ (Only)compliancecostsareestimatedbytheCommission

MaintenanceandprocessingcostsforMemberStates

V ‐ ‐

Costsofincreasedinvestmentsandcooperationforcompanies

V ‐ ‐

Notificationfatigueforconsumers

V ‐ ‐ ‐AimPDPR:enhancepersonaldatacontrolofindividuals.‐AimPDPR:trustinthedigitalenvironment

Incentivetonotify,nottoimprovesecurityforcompanies

‐ V ‐ AimPCD:createacultureofriskmanagement

Table18:effectsofSBNLs(V=provedormentioned;X=disproved;“‐“=notresearched)

ThepositiveeffectsmatchtheaimofthePCDto1.)createacultureofriskmanagementand 2.) enhance information exchange between the private and public sectorsrespectively. The last two positive effects correspond with the aim of the PDPR toenhancepersonaldatacontrolofindividuals.The second order effects in literature and qualitative analysis, although they areperceptionsthatcanbenuanced,domatchtheobjectivespursuedinlegislation.But,theobjectivesarevaguelydefined.Theirattainmentcanbeeffectivenessinthelegalsense,althoughAdvocateGeneralSharpstonstated inVolkerScheckethat theseaimsneedtobe specific.329Nevertheless, the question remains what makes an SBNL effective andwhenanSBNLiseffective.

329VolkerSchecke(n1)OpinionofAGEleanorV.E.Sharpston,para105.

94

9 Conclusions&recommendations

9.1 ConclusionsonEUSBNLs

ThisthesishastheobjectivetomakeacontributiontothedevelopmentofaEuropeancybersecuritypolicybymeansofthefollowingresearchquestion:

TowhatextentdoesthecurrentEuropeanUnionapproachconcerninggeneralSBNLsstandtheproportionalitytest?

ThePDPRintroducesapersonaldataSBNL.Simultaneously,thePCDrequiresMemberStatestoadoptalossofintegritySBNL.TheEuropeanproposalswillbediscussedinthisconclusion.Thelimitedlyanalyzedbutcloselylinkedsubsidiarityquestionisdiscussedfirst. Hereafter, conclusions about the two elements of the proportionality test areformulated.Hereafter,concludingremarksaboutthe limitationsandcomplexityof theadheredapproachareformed.

9.1.1 Subsidiarity–NecessityofaEuropeanUnionapproach

Thenecessityof theEuropean cybersecurity approach isnot fully ‘scrutinized’ in thisthesis because subsidiarity is to great extent a political question. Therefore, thearguments for necessity have been described. From an apolitical point of view, thisthesis did not find a convincing argument about the inappropriateness of aEuropeanapproachregardingcybersecurityandSBNLs.The Commission argues that the European Union has a leadership role in enhancingcybersecurity. TheEuropeanUnion argues that aEuropean cybersecurity approach isnecessarybecauseofthecrossborderaspectoftheInternet,thenecessityofauniformsecure Internet for the Single Market and the protection of fundamental rights. TheacceptanceofaEuropeanapproachisconfirmedbythefactthatthereareanumberofCybersecurity laws, such as the FDIS and the E‐privacy Directive and many policydocumentsthatstresstheimportanceofaEuropeancybersecurityapproach.330TheCommission justifiedtheneedfortheproposedEuropeanSBNLsalsobystressingthe need for harmonization because of the cross border aspect of the Internet in theSingle Market. The necessity of removing distortions in the Single market through aEuropeanUnionSBNLapproachinthePDPRissupportedbythedebateaboutSBNLsinthe United States. The United States plans to unify state level SBNLs because theobligation to comply with multiple SBNLs simultaneously caused significantadministrativeburdensforcompanies.

330Seesection2.1.2ofthisresearchforanextensivesoftlawdiscussion.

95

9.1.2 Proportionality(1)–Firstordereffect

IftheEuropeanUnionhasanadvantageintheregulationofcybersecurity,itslegislationstillneedstobeeffective.Legislationmustbesuitabletoachievetheaim.Thissectiondiscusses whether reviewed legislation is suitable to achieve the first order effect ofSBNLs:breachnotifications.The SBNL in the PDPR contains severe sanctions for non‐compliance. This willincentivize companies to comply with the law, although this is not supported byquantitativeanalysis.Thereareadditionalcostsrelating toenforcementof the law. Inaddition to this, the administrative burden for companies will be high, because theyhavetonotealltypesofpersonaldataloss.Someminortypesofpersonaldataloss,forexample because an employee without rights accessed the data with minor externalconsequences,alsoneedtobenotified.TheDutch initiative, this thesis’exampleofa lossof integritySBNL inArticle31PCD,lackssanctioningasanincentiveforcompliance.Moreover,thebenefitsofinformationsharingareperceivedtobelowandconfidentialtreatmentisperceivedalargeincentiveforcompliancebecauseofDutchtransparencylaws.331RelevantdesignparametersoftheEuropeanandDutchinitiativearenotclearyet.ItisunknownhowmanyresourceswillbeassignedtotheenforcementofSBNLs.It isalsounknownwhichaspectsofasecuritybreachhave tobenotifiedandinwhat formtheinformationhastobecollected.

9.1.3 Proportionality(1)–Secondordereffect

The literature review and the qualitative study demonstrate several positive secondordereffects,suchas increasedinvestments insecurity, fosteredcooperationbetweencompanies(literatureonly),increasedawarenessofconsumersofsecuritybreachesandfaster riskmitigation. The second order effects in literature and qualitative analysis,althoughtheyareperceptionsthatcanbenuanced,domatchtheobjectivespursuedinlegislation. But, the objectives are vaguely defined and their attainment can beeffectivenessinthelegalsense,butthequestionremainswhatmakesanSBNLeffectiveandwhenanSBNLiseffective.

9.1.4 Proportionality(2)–Necessityofcoexistence

Europeanlegislationmustbedesignedinsuchaway,thattherecannotbealessonerouswaytodoit.TheSBNLinfringesthefundamentalrightoffreedomtoconductbusinessbecause it imposesadministrativeburdensandreputationdamageoncompanies, inasimilarwayasScarletExtended.332Thismeansthatiftherearealternativeoptionsthatimposefewerrestrictionsoncompanies,allotherinterestsbeingequallyprotected,thecurrent approach is not necessary, and thus not proportional (see Article 52 of theCharter).

331SeetheDutch‘WetOpenbaarheidBestuur’(Publicadministrationdisclosurelaw).332ScarletExtended(n12).

96

From this ‘least restrictive measure’ perspective, the necessity of the (potential)coexistenceof the twoproposals isequivocal.Thecoexistenceof the two initiatives isnot the least restrictive way to constitute a security breach notification obligation,becauseitpossiblyimposesunnecessaryadministrativeburdensoncompanies.ThePDPRandthePCDarenotmutuallyexclusive:lossofintegrityanddataprotectionoverlap.Thiswillcreatesomeundesirableeffects.First,companieshavetocomplywithtwo proposals that emit different signals and incentives, which can create legaluncertainty. The confidential treatment in the PCD will not function properly ifcompanies are simultaneously forced topubliclydisclose the same information in thePDPR.Second, the legislationwillbeexecutedonadifferentadministrative level.Thiswill create unnecessary costs for Member States because multiple supervisoryauthoritiesneedtobeconstitutedtonotifyasecuritybreach.Inadditiontothat,itwillimposeunnecessaryadministrativeburdensforcompaniesbecausetheyhavetocomplywithmultipleregimes.

9.1.5 Limitationsonmeasuringeffectiveness

The fuzziness of the aims and the complexity of measuring effects hamper thedetermination of a reasonable expectation of causality between themeasure and theaimspursued.TheCommissionsetsaimsthatarefuzzyandhardtomeasure,anddoesnotspecifyhowthesegoalswillbeachievedthroughtheadoptionsofSBNLs.Likewise,the empiricalmeasurement of effects in part β showed that it is complex to pinpointeffectsofSBNLs.Moreover,theCommissionundervaluedthesocietalcostsandadverseeffects.Inmy view, in the current situation, a reasonable expectation of effectiveness is notdemonstratedsufficiently.Inthetheoreticallydesiredsituation,thegoalsareclearandmeasurable. The law is effective because the measurable aims are achieved by themeasure.But,still,effectivenessisnotsimplyattainingaims.Evenifthecausalrelationbetween the measure and its aims can be proved in a narrow sense, the questionremainswhethertheachievementoftheseaimsiseffective.Fromasecurityeconomicsperspective, itcanbearguedthatthe lawiseffectiveif therevenuesofpositiveeffectsarehigherthanthesocietalcostsofnegativeeffects.333Thisrequiresanaccurateempiricalmeasurementof theseeffects, initiated inpartβ,andaquantificationoftheseeffects.Unfortunately,thisapproachtowardseffectivenessdoesnot cover non‐economic, non‐measurable aims such as the protection of fundamentalrights.Theprotectionoffundamentalrightsisnotalways‘efficient’andcancertainlynotalways be quantified, but European legislationmust remainwithin the boundaries of

333Seetable1,effectsofSBNLs.Onecouldalsoarguethatonlyaparetoimprovementofapositiveeffectwouldbepreferable.

97

fundamentalrights.334Moreover,thecomplexityofthelegalinterferencesinthefieldofcybersecurity makes it impossible to provide an exhaustive balance sheet of all(expected)effects.Asecurityeconomicsperspectivewouldnotbetheperfectmeanstodefine effectiveness, because some aims are notmeasurable and expected effects arecomplex.Neither a legal nor an economic approach provides an optimal outcome for thedefinitionof‘effectiveness’.Thereisnouniformityofwhatmakesalaweffective.Thus,stilltheeffectivenessquestionremains.WhatisneededtodeterminetheeffectivenessofSBNLs?Whomaydecidewhenalawiseffective?Inademocracy,weallshoulddecide.Moreconcrete: theEuropeanCommission,ParliamentandCouncil stateexante in theordinary legislative procedure the aims of the law. The European Court of Justicedecidesexpostwhetherthelawiseffective.Thus,effectivenessinredefined,aslegalandeconomic approaches towards effectiveness are troublesome. This definitionmust beregardedasastartingpointforfurtherresearchoninterpretingeffectivenessofthelaw.

Thus,takingthisdefinitionintoaccount,improvinginformationaboutpotentialpositiveand negative effects is the key tool to enhance effectiveness of the law and correctlyassess its necessity. The executed empirical analysis in this thesis has providedknowledge about the effectsofSBNLs that canbeusedby theCommission. Increasedavailability of information about societal impact (expectations) enhances decisionmakingofthelegislatureexanteandthescrutinyoftheCourtexpostthatdeterminetheproportionality of cybersecurity laws. The Commission, which has the power ofinitiative,shouldinvesttoprovidethisinformation.Toconclude,additionalinformationabouteffectsoflegislationonsocietywill improvethe quality of draft legislation and the judicial decision about proportionality. Forexample, information about the adverse reputation damage on companies,demonstratedinthisthesis,willplayavitalrolewhenjudgingaboutthe infringementon the freedom to conduct business. Additional information about effectswill not bedecisiveinajudicialdecision,sincealsononmeasurableeffectsneedtobebalancedand(expected)effectshaveacertainmarginoferror.Theproportionalitytestassuchmustbeseeninrelationtotheseinherentflawswithinmeasuringeffectivenessofthelawonsociety.Often,causalitybetweenthemeasureandtheaimcanandwillnotbe ‘proven’scientificallybythelegislatureandtheCourt.Nevertheless,theproportionalityprinciplehasbeenacornerstoneofEuropeanLawtoanalyzetheeffectivenessandnecessityoflegislation. Further enhancement of the execution of this principle by improving

334IncountriessuchasChina,wherethereismorelimitedattentionforfundamentalrights,governmentalpolicies,forinstancetheconstructionofahighway,canbeexecutedfarmoreefficientlythanintheEuropeanUnion.

Effectiveness is the causality between a legislation and its aims defined by ademocratic decisionmaking processwhere asmuch information as possible about(potential)positiveandnegativeeffectsisprovided.

98

information about societal effects increases the democratic legitimacy of EuropeanUnionlaw.

9.1.6 Complexityofmeasuringeffects

The quantitative analysis on the effects of design parameters of SBNLs proved to becomplex,becauseofthefollowingreasons.335

ThisresearchexperienceishighlyrelevantforanexposteffectivenesstestoftheSBNLbytheEuropeanCommission.Whenmonitoringthelawthiscomplexityshouldbetakeninto account. A central documentation of breach notifications in the European Unionwouldbefirststeptoenhancetheavailabilityandrepresentativesofbreachdata.Suchadataset requires detailed thought about amongst others assumptions regarding thedegree of non‐compliance, the size of the breach and feedback loops. Without suchassumptions, the validity of the results in the database, and consequently theeffectivenesstest,wouldbehampered.

9.2 Recommendations

Thisthesisprovidesthreetypesofrecommendations.Thereisstillambiguityabouttheeffectivenessofthelaw.Nevertheless,recommendationsregardingenhancementofthePCDandthePDPRaremade.Theserecommendationswillenhancethepositiveeffectsofthelaws,buttheimplementationoftheserecommendationswillnotimmediatelyleadto a decisive answer about causality between the measure and its aims. To enhanceeffectiveness further, information about effects needs to be improved. Before theadoptionofthelaw,areasonableexpectationofeffectivenessshouldbegiven.Aftertheadoptionofthelaw,(toolstoperform)aneffectivenesstestneedstobeprovided.

335Foramoreextensivedescriptionofassumptionsregardingthedataset,seechapter5ofthisresearch.

Thedatasetdoesnotcoverallbreachesthatwerenotifiedintheobservedperiod.

Thenumberofcompaniesthatdoesnotcomplywiththelawcannotbeestimated.

Breachesinthedatabasedonothaveasimilarimpact.Thesizeoftheimpactishardtoestimate,amongstothersbecausebreacheswithasmallernumberofrecordsgenerallyhavealargeimpactperrecord.

Thecomparisonofthesituationbeforetheadoptionofalawwiththesituationaftertheadoptionofalawisdifficult.ThedatasetdidnotclarifywhetherabreachinthedatabaseflowedfromanobligationunderanSBNL,whichmakesitimpossibletoidentifyadditionalnotificationsthroughtheSBNL.

Theembedmentofseveralfeedbackeffects,suchasInternetsecurityandreputationdamage,increasedthecomplexityofthemodel.

99

9.2.1 Regardingtheenhancementofthelegislativeinitiatives

EnhancethePCDandtheDutchinitiative.ThePCDandtheDutchinitiativeneedadjustment.Anadjustmentoftheproposalscanincreasecompliancewith the law, improvepositive secondorder effects andmitigatenegativeeffects.Thisconcernsclarityof thescope, theaddedvalueofthesupervisoryauthorityandthereductionoftheadministrativeburdenforcompanies.Theambiguityaboutthescopewillbeimprovedbyacleardefinitionofwhatismeantbya‘significantlossofintegrity’inthePCDand‘societalshock’intheDutchinitiative.Furthermore,thesupervisory authority, such as the NCSC, must have added value in mitigating thebreach.Addedvalueimplicatestechnicalcybersecurityknowledgetoassistinmitigatingsecurity breaches. Otherwise, companies will not have incentives to comply with thelaw.Finally,anotificationthatcontainssimultaneouslyalossofintegrityandpersonaldatabreachneedstobeforwardedautomaticallytotheEuropeansupervisoryauthorityfor the PDPR. This will reduce administrative burdens for companies because thisexcludestheneedtomakeaseparatenotificationforthePDPR.AdoptasingleEuropeanSBNLforbothpersonaldataandlossofintegrity.The proposed mixed approach will create legal uncertainty and unnecessaryadministrative burdens because companies would have to comply with overlappinglegislation with multiple requirements and administrative bodies. A less restrictiveequally effective policy option is recommended to the European Commission. It isrecommended to extendArticle 31 PDPRwith a loss of integrity requirement and toabolishArticle14PCD.Thisresults inonesingleSBNLfocusingonbothpersonaldataandasignificantlossofintegrity.Itstillremainsnecessarytoprovideacleardefinitionof the threshold of a breach and provide the supervisory authority with technicalcybersecurityknowledge.

9.2.2 Areasonableexpectationofeffectivenessbeforetheadoptionofthelaw

This thesis recommends to improve the measurement of (the expectation of)effectivenessbeforeandaftertheadoptionofthelaw.Theserecommendationscanbeused for improving European law in general and the PDPR and PCD in particular. Asalready mentioned, effectiveness is redefined as follows to give a starting point forfurtherresearch:

Hence,itisthedutyoftheEuropeanlegislaturetoprovideasmuchusefulinformationas possible about the effects of the laws to enable scientific analysis of the law andimprovethedemocraticlegitimacy.OperationalizeaimsthataremeasurableThis thesis argues that the current aims of the PDPR and the PCD are ambiguousconceptsthatneedtobeoperationalized.Operationalizationistheprocessofredefiningan ambiguous concept to make it measurable in order to perform empirical

Effectiveness is the causality between a legislation and its aims defined by ademocratic decisionmaking processwhere asmuch information as possible about(potential)positiveandnegativeeffectsisprovided.

100

observations. The Commission has the primary task to redefine the aims of thelegislation. Nevertheless, this thesis research proposes some starting points for thisprocess.ThemainaimsofthePDPRaretoenhancepersonaldatacontrolandtrustinthedigitalenvironment in order to protect to fundamental right of data protection. This thesisrecommends two alternative approaches to operationalize these aims.336 The firstapproachregardstheaimsasperceptionsofEuropeancitizens.Hence,theaimwouldbetoimprovetheperceptionofpersonaldatacontrolandtrustinthedigitalenvironment,byEuropeancitizens.Thesecondapproachusesproxiestooperationalizeaims.Aproxyis a measurable unit that can be used to represent a non‐measurable unit, toapproximateorsubstitutethecurrentaims.Thedegreeofonlineactivityofconsumers,for instance the percentage of people that use the Internet, is a general proxy forpersonaldatacontrolandtrustinthedigitalenvironment.Morespecificproxiesconcernactivities on the Internet that are vulnerable for personal data theft, such as onlinebanking, shopping or online localization. The first order effect of the legislation, thenumberof securitybreachesnotified,canalsobeaproxy foreffectivenessof the law.Regardingthisproxy,onewouldfirstexpectanincreaseandceterisparibusadecreaseofthenumberofsecuritybreachescausedbyincreasedsecurity.337Themain aimof the PCD is to create a culture of riskmanagement. A culture of riskmanagement also needs further operationalization, for instance by defining it as theperceptionofcompaniesonthelevelofriskmanagementintheirsector.Aproxyforthecultureofriskmanagementistheamountandqualityofthecybersecurityinformationexchange between private parties and the supervising authority. Preferably, thesemeasurableunitsshouldreplacethecurrent fuzzyaimstoreduceambiguity,providedthatnovaluableinformationislostintheprocessofoperationalization.ExplicitlymentionaimsthatarenotmeasurablesuchasfundamentalrightsItshouldalsobestatedexplicitlywhenaimsarenotmeasurable.ThePDPRandthePCDboth aim to safeguard fundamental rights.338Fundamental rights that are associatedwith the aims of the legislation, such as the freedom of speech and the freedom ofexpression, have an intrinsic valuewhich cannotbe operationalized. These importantnon measurable aims should be included separately as informative input for ademocratic legislativedecisionmakingprocess thatdecidesabout the legislation (anditsaims).OperationalizemeasurablesideeffectsAn effective consideration of the democratic decisionmaking process necessitates anextensive overview of potential negative effects of the SBNL aswell.339Currently, thecostestimationoftheCommissionisundervaluedcomparedwiththetotalsocietalcosts

336Therearemoreapproachesimaginable;thisisasuggestionforfurtherresearch.337Althoughthisalsohassomecomplexside‐effects,seeforinstancesection8.1ofthisresearch.338Seesection2.3.2ofthisresearch.339Forinstance,becausethePDPRandPCDpotentiallyinfringethefundamentalrighttoconductbusiness,seesection3.2.4ofthisresearch.

101

ofanSBNL.TheEuropeanCommissionshouldincludethenegativereputationaleffectsof companies into its impact assessment as well as expected administrative andprocessingcosts.ProvideareasonableexpectationofcausalitybetweenthelawandtheaimspursuedAnextensiveoverviewofmeasurableandnon‐measurablepositiveandnegativeeffectsof the proposed law will be available when the Commission follows up to theaforementionedrecommendations.Itisnotpossibletomeasuretheseeffectsbeforetheadoptionofthelaw,butit ispossibletogiveareasonableexpectationofcausalityandtheaimspursued.However,currently,theCommissiondidnotsubstantiateinwhatwaythe SBNL is suitable to achieve the aims pursued. Therefore, it is recommended tothoroughlystudytheexpectedeffectsoflegislationinacademicliterature,bymeansofsecondary available comparative (quantitative) analysis and by expert interviews.340This threefold approach, adhered in this thesis, has enhanced the knowledge aboutexpected effects and needs further development and a wider application. 341 Aconceptual diagram can clarify the effects to enhance the information of the decisionmaker.342Deductthediscussionaboutthedesirabilityofthelegislationtonormativechoices.The combinationof tightly operationalizedmeasurable aims and explicitly stated nonmeasurableaimsallowsforamoreenhanceddiscussionaboutthedesiredeffectsofthelegislation.Ideally,theexpectedeffectsofthemeasurablepartofthelegislationwillbequantified inorder toclarifyandstructure thediscussionabout thedesirabilityof thelaw.Consequently,thediscussionsolelyconcernsnormativechoicesaboutthebalancebetweennon quantifiable effectswith the sumof themeasurable positive effects andnegativeeffects.

9.2.3 Toolstomeasureeffectivenessaftertheadoptionofthelaw

RegisterperceptionsofthelawandrelevantproxiesThe perception of companies and consumers regarding the law and relevant proxiesneed to be registered. The operationalized aims of the legislation that concernperceptionssuchastheperceptionoftrustinthedigitalenvironmentmustbemeasuredbytheCommissionaftertheintroductionofthelaw.343Simultaneously,theCommissionmustmeasuretheperceptionofcompaniesandconsumersofeffectivenessofthelawassuch, to assesswhether theparties involvedwith the law regard the lawas effective.Suchquestionnairescanaidtogiveamorequalitativeindicationontheeffectivenessof

340Suchasperformedinthisthesisinpartß.341Currentlythefuzzinessoftheaimsandthecomplexityofmeasuringeffectshamperthedeterminationofareasonableexpectationofcausalitybetweenthemeasureandtheaimspursued.342Seesection8.1.2ofthisresearchforaconceptualdiagramofthefirstordereffectofSBNLs.343Ofcourse,thereismuchmorecomplexityinvolvedwithattributingthepossibleeffectsoperationalizedinsuchaquestionnaireordatasettotheexistenceofthelaw,seechapter6ofthisresearch.

102

the law.344Apart from perceptions measured in surveys, proxies are another way tomeasureeffectivenessofthelawandneedtoberegisteredaswell.RegisterdataaboutsecuritybreachesIt is important to measure effects after the introduction of the law to scrutinize theclaimsaboutexpectedeffectsmadebeforetheintroductionofthelaw.Theinformationabout security breaches that are notified under the obligation flowing from the SBNLneeds to be registered centrally. The central registration of these breaches wouldprovide a representative longitudinaldataset.Thisdataset canbeused tomeasure towhich extent the SBNL is capable of incentivizing companies to notify securitybreaches.345The details of the security breach can provide information about theattainmentofthesecondordereffectsofthelegislation.Consequently,theinformationshouldbeincludedinasecuritybreachnotificationtogainmoreinsightsinthesecondorder effects.346 Apart from information about the security breach, also the costs ofprocessing,monitoringandenforcementshouldberegistered.347Theinformationthatshouldbeincludedisdisplayedbelow:

9.3 Directionsforfurtherresearch

The legal position and societal effects of security breach notification laws deservesfurther empirical study. Another promising line of research would be to identify thecostsof theSBNLnotificationsystem.Researchshowed that indirect costsaremostly

344SeeforinstancetheEurobarometer.345Thisdatasetcandothisbetterthanthedatasetusedinchapter5,becauseitcontainsexclusivelyandexhaustivelysecuritybreachesfromtheSBNL.346Thisisnotanexhaustivelist,butmainlyasynthesisofsuggestionfrominterviews,seesection7.2.4ofthisresearch.347Often,theindirectdefensecostsofInternetsecurityaremoreexpensivethanthelossesitself,seesection1.1.3ofthisresearch.

Generalinformation:o Adetaileddescriptionaboutthecircumstancesofasecuritybreach.o Theindustryofthecompanythatnotified.o Anapproximationofthedamageofthebreach:

Reputationdamageforthecompany. Lossesforconsumers Damageforsocietybecauseof(forinstance)unavailable

services Informationregardingapersonaldatabreach:

o Theamountofrecordsofpersonaldatatheft.o Thetypeofpersonaldatatheft.

Informationregardingalossofintegritybreach:o Thelevelofdefenseofsecuritysystemsthatisbreachedo Whetherthereisactualphysicaldamagetocomputersystemsor

solelypotentialdamage

103

higherthandirectcosts.Furtherexperimentalobservationsareneededtoestimatetheimpactofstricterlawsoncompliance.Achallengingtaskforfurtherresearchwouldbeto unravel the effect of Internet insecurity on the amount of security breachnotifications. The design and complexity of enforcement of an SBNL also deservesfurtherattention.Moreover,somethoughtisneededontheapproachtooperationalizefuzzygoals.A higher‐level line of research concerns definition of effectiveness, provided in theconcludingpiecesofthisthesis.Withinthisdefinition,effectivenessislargelydefinedasthe outcomeof a democratic decisionmaking process.This has the consequence thateffectiveness is transformed from an objective criterion towards an intersubjectiveconcept of truth, largely depending on the functioning of democracy. This deserves afurtherlegal,politicalandphilosophicalexploration.

104

Bibliography

Generalbibliography

Literature

AyresIandBraithwaiteJ,ResponsiveRegulation:TranscendingtheDeregulationDebate(OxfordUniversityPress,1992).AsghariH,‘BotnetMitigationandtheRoleofISPs’(MasterThesis,Delft,UniversityofTechnology).vandenBrinkA,‘TheSubstanceofSubsidiarity:TheInterpretationandMeaningofthePrincipleafterLisbon’inMartinTrybusandLucaRubini(eds)TheTreatyofLisbonandtheFutureofEuropeanLawandPolicy(EdwardElgarPublishing2012).ChalmersD,DaviesGandMontiG,EuropeanUnionLaw(secondedition,CambridgeUniversityPress2010).GraigPanddeBúrcaG,EULaw‐TextCasesandMaterials(fifthedition,OxfordUniversityPress2011).HeckR,MultilevelandLongitudinalModelingwithIBMSPSS(Routledge,2010).HillJ.F,‘InternetFragmentation:HighlightingtheMajorTechnical,GovernanceandDiplomaticChallengesforU.S.PolicyMakers’(Paper,HarvardKennedySchool2012).JansJ,deLangeR,PrechalSandWiddershovenR,EuropeanisationofPublicLaw(EuropaLawPublishing2007).deJongM,LalenisKandMamadouhV,TheTheoryandPracticeofInstitutionalTransplantation(Kluwer,2002).KlipA,EuropeanCriminalLaw,anintegrativeapproach(secondedition,Intersentia2012).deLeeuwK&BergstraJ.(eds.),TheHistoryofInformationSecurity:AComprehensiveHandbook(Elsevier,2007).LenzCandBorchardtK,EU‐VerträgeKommentarnachdemVertragvonLissabon(BundesanzeigerVerlag2010).

105

MeijerE,‘Conventiononcybercrime,Dataprotectionininformationsystemsthroughcriminallaw;acomparisonbetweentheEUandtheUS.’(MasterThesis,UtrechtUniversity,2012).RendaA,ImpactAssessmentintheEU,TheStateoftheArtandtheArtoftheState(CEPSPaperbacks2006).SendenLandPrechalS,‘DifferentiationinandthroughCommunitySoftLaw’,inDeWitteB,HanfDandVosE(eds),TheManyFacesofDifferentiationinEULaw(Intersentia,2001).SeltmanH,ExperimentalDesignandAnalysis(Publishedonline,2009).TwiskJWR,AppliedMultilevelAnalysis(CambridgeUniversityPress,2006).TylerMooreandRossAnderson,‘InternetSecurity’inM.Peitz&J.Waldfogel(Eds.),‘TheOxfordHandbookoftheDigitalEconomy’(OxfordUniversityPress2011).VerbeekM,AGuidetoModernEconometrics(FourthEdition,Wiley,2012).VerschurenP&DoorewaardH,‘Designingaresearchproject’(Secondedition,ElevenInternationalPublishing2010).deVriesSA,‘TheProtectionofFundamentalRightswithinEurope’sInternalMarketafterLisbon–AnEndeavourforMoreHarmony’inS.A.deVries,UlfBernitzandStephenWeatherillTheProtectionofFundamentalRightintheEUafterLisbon(HartPublishing,2013).WatsonA,LegalTransplants,AnApproachtoComparativeLaw(SecondEdition,UniversityofGeorgiaPress,1994).ZealkeD,MakingLawWork,EnvironmentalCompliance&SustainableDevelopment(InternationalLawPublishers2005).

JournalArticles

BobekM‚‘JoinedCasesC‐92/09andC‐93/09,VolkerundMarkusScheckeGbRandHartmutEifert,JudgementoftheCourtofJustice(GrandChamber)of9November2010N.Y.R.(Annotation)’(2011)48(6)CommonMarketLawReview2005.BurdonM,LaneB,vonNessenP,‘DataBreachNotificationLawintheEUandAustralia,Wheretonow?’(2012)28(3)ComputerLawandSecurityReview296.CalderoniF,‘Thelegalframeworkforcybercrime:strivingforaneffectiveimplementation’(2010)54(5)Crime,LawandSocialChange339.

106

CavusogluH,MishraBandRaghunathanS,‘TheEffectofInternetSecurityBreachAnnouncementsonMarketValue:CapitalMarketReactionsforBreachedFirmsandInternetSecurityDevelopers’(2004)9(1)InternationalJournalofElectronicCommerce69.DeHertPandPapakonstantiouV,‘TheproposedDataProtectionRegulationreplacingDirective95/46/EC:Asoundsystemfortheprotectionofindividuals’(2012)28(3)ComputerLawandSecurityReview130.DimitrakopoulosDG,‘ThetranspositionofEUlaw:Post‐decisionalpoliticsandinstitutionalautonomy’(2001)7(4)EuropeanLawJournal442‐458.EtienneJ,‘ComplianceTheory:AGoalFramingApproach’(2011)33(3)Law&Policy305.GoelS,andShawskyH,‘Estimatingthemarketimpactofsecuritybreachannouncementsonfirmvalues’(2009)46InformationandManagement404.GordanM,‘Whenshouldcompaniesgopublicfollowingasecuritybreach?’(2006)9ComputerFraudandSecurity17.JansJH,‘ProportionalityRevisited’(2000)27(3)LegalIssuesofEconomicIntegration239.HuntonP,‘ThegrowingphenomenonofcrimeandtheInternet:Acybercrimeexecutionandanalysismodel’(2009)25ComputerLaw&SecurityReview528.KoMandDorantesC,‘Theimpactofinformationsecuritybreachesonfinancialperformanceofthebreachedfirms:anempiricalinvestigation’(2006)16(2)JournalofInformationTechnologyManagement13.MooreT,‘Theeconomicsofcybersecurity:Principlesandpolicyoptions’(2010)3(3‐4)InternationalJournalofCriticalInfrastructureProtection103.MuntermanJandRoßnagelH,‘OntheEffectivenessofPrivacyBreachDisclosureLegislationinEurope:EmpiricalEvidencefromtheUSStockMarket’(2009)5838LectureNotesinComputerScience1.RomanoskyS,TelangR,AcquisitiA,‘DoDataBreachDisclosureLawsReduceIdentityTheft?’(2011)30(2)JournalofPolicyAnalysisandManagement256.SchwartzPMandJangerEJ,‘NotificationofDataSecurityBreaches’(2007)105MichiganLawReview913.SutinenJ.andKuperanK,‘Asocio‐economictheoryofregulatorycompliance’(1999)26(1/2/3)InternationalJournalofSocialEconomics174.

107

TylerTR,‘CompliancewithIntellectualPropertyLaws:APsychologicalPerspective’(1999)29NewYorkUniversityJournalofInternationalLawandPolitics219.VeltsosJR,‘AnAnalysisofDataBreachNotificationsasNegativeNews’,(2012)75(2)BusinessCommunicationQuarterly192.

Onlinearticlesandpapers

AndersonR,‘WhyInformationSecurityisHard–AnEconomicPerspective(UniversityofCambridge,December2001)<http://www.cl.cam.ac.uk/~rja14/Papers/econ.pdf>accessed25June2013.AndersonR,BartonC,BohmeR,ClaytonR,vanEetenMJG,LeviM,MooreTandSavageS,‘MeasuringtheCostofCybercrime’(2012)WorkshoponEconomicsofInformationSecurity6/2012<http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf>accessed7January2013.AndersonR,BöhmeR,ClaytonRandMooreT,‘SecurityEconomicsandtheInternalMarket’(ENISA,31January2008)<http://www.enisa.europa.eu/publications/archive/economics‐sec>,Accessed10December2012.ArnbakAandvanEijkN,‘CertificateAuthorityCollapse,RegulatingSystemicVulnerabilitiesintheHTTPSValueChain’(2012)TRPC,20<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2031409>accessed8January2012.DeirdreMulligan,‘SecurityBreachNotificationLaws:ViewsfromChiefSecurityOfficers’(UnversityofBerkeleySchoolofLaw,December2007)<http://www.law.berkeley.edu/files/cso_study.pdf>accessed11June2013.DrewerD&EllermannJ,‘Europol’sdataprotectionframeworkasanassetinthefightagainstcybercrime’(Europol,19November2012)<https://www.europol.europa.eu/sites/default/files/publications/drewer_ellermann_article_0.pdf>accessed11June2013.‘FraudereportInternetbankingandskimming’(NederlandseVerenigingvanBanken,2012).<http://www.veiligbankieren.nl/nl/nieuws/fraude‐Internetbankieren‐stijgt‐eerste‐half‐jaar‐met‐14_.html>accessed11June2013.HudsonP,‘SafetyCulture,TheoryandPractice’(CentreforSafetyScience,LeidenUniversity.1999),3<http://ftp.rta.nato.int/public//PubFulltext/RTO/MP/RTO‐MP‐032///MP‐032‐08.pdf>accessed13June2013.KincaidC,‘GuidelinesforSelectingtheCovarianceStructureinMixedModelAnalysis’(SUGI,10April2005)30<http://www2.sas.com/proceedings/sugi30/198‐30.pdf>accessed13June2013.

108

PélissiéduRausasM,‘InternetMatters:TheNet’ssweepingimpactongrowth,jobsandprosperity’.(McKinseyGlobalInstitute,May2011).<http://www.mckinsey.com/insights/high_tech_telecoms_Internet/Internet_matters>accessed27December2012.SteunenbergBandVoermansW,‘ThetranspositionofECDirectives:Acomparativestudyofinstruments,techniquesandprocessesinsixMemberStates’(WODC,2006)<https://openaccess.leidenuniv.nl/bitstream/handle/1887/4933/5_360_361.pdf?sequence=1>accessed11June2013.VanEetenMJG,BauerJM,AsghariH,TabatabaieS,‘TheRoleofInternetServiceProvidersinBotnetMitigation:anEmpiricalAnalysisbasedonSpamData’(2010)OECDSTIWorkingPaper2010/5<http://search.oecd.org/officialdocuments/displaydocumentpdf/?cote=DSTI/DOC%282010%295&docLanguage=En>accessed11June2013.VanEetenMJGandBauerJM,‘SecurityDecisions,IncentivesandExternalities’(2008)(OECDSTIWorkingPaper2008/1)<www.oecd.org/Internet/ieconomy/40722462.pdf>accessed14June2013.

EuropeanUnionpolicydocuments

EuropeanCommission,‘AstrategyforaSecureInformationSociety–Dialogue,partnershipandempowerment’(Communication)COM(2006)251final.EuropeanCommission‘CommunicationonNetworkandInformationSecurity’(Communication)COM(2001)298final.EuropeanCommission,‘CybersecurityStrategyfortheEuropeanUnion’(JointCommunication)JOIN(2013)1final.EuropeanCommission‘ImpactAssessmentaccompanyingtheProposalforaDirectiveoftheEuropeanParliamentandoftheCouncilConcerningmeasurestoensureahighlevelofnetworkandinformationsecurityacrosstheUnion’(ImpactassessmentoftheCybersecurityDirective)SWD(2013)32final.EuropeanCommission‘ImpactAssessmentaccompanying(proposed)RegulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata’(ImpactAssessmentoftheDataProtectionRegulation)SEC(2012)72final.EuropeanCommission,‘LegalAnalysisofaSingleMarketfortheInformationSociety’(DLAPiper,2009)<http://ec.europa.eu/information_society/newsroom/cf/itemdetail.cfm?item_id=7022>accessed10June2013.EuropeanCommission,‘ProtectingEuropefromlargescalecyber‐attacksanddisruptions:enhancingpreparedness,securityandresilience’(Communication)COM(2009)149final.

109

EuropeanCommission,‘ReportfromtheCommissiontotheCouncilBasedonArticle12oftheCouncilFrameworkDecisionof24February2005onattacksagainstinformationsystems(Communication)COM(2008)448final.EuropeanCommission,‘RegulatoryframeworkforelectroniccommunicationsintheEuropeanUnionSituationinDecember2009’(EuropeanCommission,2009)<http://ec.europa.eu/information_society/policy/ecomm/doc/library/regframeforec_dec2009.pdf>accessed10June2013.EuropeanCouncil,‘TheStockholmProgramme–AnopenandsecureEuropeservingandprotectingcitizens’(Notice)[2010]OJC115/01.EuropeanCommission,‘Towardsageneralpolicyonthefightagainstcybercrime’(Communication)COM(2007)267final.

Dutchpolicydocuments

‘MeldplichtSecurityBreaches’KamerstukkenII2012/7,26643,nr.247,1(lettertotheDutchLowerhouse).IvoW.Opstelten‘BriefMeldplichteninterventiemogelijkheden(MinistryofSafetyandJustice,6July2012)<http://www.nctv.nl/Images/brief‐cyber‐meldplicht‐en‐interventie_tcm126‐443885.pdf>accessed11June2013.

Documentsfromwebsites

‘2011CostofCyberCrimeStudy’(PonemonInstitute,August2011).<http://www.hpenterprisesecurity.com/collateral/report/2011_Cost_of_Cyber_Crime_Study_August.pdf>accessed30November2012.‘Bankenbeloveninformatieovercyberaanvallenonderlingtegaandelen’(Tweakers,15April2013)<http://tweakers.net/nieuws/88507/banken‐beloven‐informatie‐over‐cyberaanvallen‐onderling‐te‐gaan‐delen.html>accessed13June2013.BarlowJP,‘DeclarationofInternetindependence’(eff.org,9Februari1996)<http://w2.eff.org/Censorship/Internet_censorship_bills/barlow_0296.declaration>accessed9January2013.‘CybersecurityAssessmentNetherlands’.(NationalCyberSecurityCentre,19September2012).<https://www.ncsc.nl/english/current‐topics/news/ncsc‐publishes‐cyber‐security‐report‐2012.html>accessed21April2013.‘CyberSecurityReport2012’(NationalCyberSecurityCentre,19September2012),22‐34<https://www.ncsc.nl/english/current‐topics/news/ncsc‐publishes‐cyber‐security‐report‐2012.html>accessed11June2013.‘DataBreachNotificationLawsbyState’(CLLA,December2012)<http://www.clla.org/documents/breach.xls>accessed12June2013.

110

‘Data,Dataeverywhere’(TheEconomist,25February2010)<www.economist.com/node/15557443>accessed11June2013.‘DigitalAgendaforEurope’(EuropeanCommission,2013)<http://ec.europa.eu/digital‐agenda/>accessed21January2013.‘Eurobarometer390fortheNetherlands’(EuropeanCommission,2012)<http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_fact_nl_en.pdf>accessed7January2012.‘Eurobarometer390’(EuropeanCommission,2012),61<http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf>accessed7January2012.‘FirmsinU.S.states’(Census.gov,2013)<http://www.census.gov/econ/susb/>accessed13June2013.‘HetDiginotarincident,Waaromdigitaleveiligheiddebestuurstafelteweinigbereikt’(Onderzoeksraadvoordeveiligheid,2012).<http://www.onderzoeksraad.nl/index.php/onderzoeken/onderzoek‐diginotar/>Accessed6January2012.‘Internetpenetrationrate’(PEWInternet,2012)<http://pewInternet.org/Reports/2012/Digital‐differences/Main‐Report/Internet‐adoption‐over‐time.aspx>accessed12June2013.‘Internetstatistics’.<www.Internetworldstats.com>accessed14April2013.‘InterviewMikkoHypponen’(Tweakers,20Oktober2012)<http://tweakers.net/video/6478/mikko‐hypponen‐over‐cybercrime‐en‐digitale‐oorlog.html>accessed22October2012.‘OverviewSecurityBreaches’(NCSL,2013)<http://www.ncsl.org/issues‐research/telecom/overview‐security‐breaches.aspx>accessed2February2013.‘PopulationinU.S.states’(InternetWorldStats,2013)<http://www.Internetworldstats.com/unitedstates.htm>accessed12June2013.‘ProposalonaEuropeanStrategyforInternetSecurity’(EuropeanCommissionRoadmap,November2012)<http://ec.europa.eu/governance/impact/planned_ia/docs/2012_infso_003_european_Internet_security_strategy_en.pdf>accessed12June2013.‘PressreleaseonSymantecSecurityReport’(Symantec,7September2011)<www.symantec.com/about/news/release/article.jsp?prid=20110907_02>accessed28November2012.‘R‐squarestatisticsinSPSSMixedModels’(IBMsupport,9July2011)<http://www‐01.ibm.com/support/docview.wss?uid=swg21481012>accessed13June2013.

111

SecurityBreachNotificationChart(Perkins,2013)<http://www.perkinscoie.com/files/upload/LIT_09_07_SecurityBreachExhibits2.pdf>accessed4July2013.‘StateDataSecurityBreachNotificationLaws’(MintzLevin,1December2012)<http://www.mintz.com/newsletter/2007/PrivSec‐DataBreachLaws‐02‐07/state_data_breach_matrix.pdf>accessed13June2013.‘StateDataBreachStatureForm’(BakerHostetler,2013)<http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/State_Data_Breach_Statute_Form.pdf>accessed13June2013.‘ThePrivacyRightsClearingHouseDataBase’(PrivacyRights.org,2013).From<https://www.privacyrights.org/data‐breach>accessed1February2013.‘USGDP’(USGovernmentRevenue,2013)<http://www.usgovernmentrevenue.com>accessed13June2013.‘Waterinstallatiebeschadigdbijcyberaanval’<www.automatiseringgids.nl/nieuws/2011/47/waterinstallatie‐beschadigd‐bij‐cyberaanval>accessed11June2013.

Treaties,Case‐lawandLegislation

Treatiesandprotocols

CharterofFundamentalRightsoftheEuropeanUnion[2000]OJC364‐1.Protocol(No2)ontheApplicationofthePrinciplesofSubsidiarityandProportionality[2007]OJC‐310/207.ConsolidatedVersionoftheTreatyonEuropeanUnion[2008]OJC115/13.ConsolidatedVersionoftheTreatyontheFunctioningoftheEuropeanUnion[2008]OJC115/47.ConventiononCybercrime2001.

Case‐law

CaseC‐26/62VanGendenLoos[1963]ECR1.CaseC‐6/64Costa/ENEL[1964]ECR585.Case29/69ErichStaudervCityofUlm–Sozialamt[1969]ECR419.Case93/71Leonisov.ItalianMinistryofArgiculture[1972]ECR293.

112

Case41/74VanDuyn[1974]ECR1337.Case80/86Kolpinghuis[1987]ECR3969.CaseC‐260/89EllinkiRadiophoniaTileorassiAE(ERT)vDimotikiEtairiaPliroforissisandSotiriosKouvelas[1991]ECRI‐2925.CaseC‐379/98GermanyvParliamentandCouncil(TobaccoAdvertisingI)[2000]ECRI‐8419.CaseC‐112/00Schmidberger[2003]ECRI‐5659.CaseC‐105/03CriminalproceedingsagainstMariaPupino[2005]ECRI‐5285.C‐275/06Promusicae[2006]ECRI‐271.CasesC‐152/07&C‐154/07Arcor[2008]ECRI‐5959.JoinedCasesC‐92/09andC‐93/09VolkerundMarkusScheckeandEifert[2010]ECRI‐0000.CaseC‐70/10ScarletExtendedvSABAM[2011]ECRI‐0000.JoinedCases‐411/10andC‐493/10N.S.vSecretaryofStatefortheHomeDepartment[2011]ECRI‐0000,paras64‐69.

EuropeanUnion(proposed)legislation

CouncilDirective(EC)95/46EContheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata[1995],OJL281.CouncilDirective(EC)96/96ontheapproximationofthelawsoftheMemberStatesrelatingtoroadworthinesstestsformotorvehiclesandtheirtrailers[1996]OJL49.EuropeanCommission‘GuidelinesonthemethodofsettingfinesimposedpursuanttoArticle23(2)(a)ofRegulationNo1/2003(LeniencyPolicy)’[2006]OJL210/02.CouncilDirective(EC)2004/48ontheenforcementofintellectualpropertyrights[2005]OJL195/16.FrameworkDecision(FD)2005/222/JHAonattacksagainstinformationsystems[2005]OJL69/67.EuropeanCommission‘ProposalforaDirectiveonattacksagainstinformationsystemsandrepealingCouncilFrameworkDecision2005/222/JHA’(ProposalforDirective)COM(2010)517final.

113

CouncilRegulation(EC)1290/2005onthefinancingofthecommonagriculturalpolicy[2005]OJL209/1asamendedbyCouncilRegulation(EC)1437/2007[2007]OJL322/1.CouncilDirective(EC)2009/136amendingDirective2002/22/EConuniversalserviceandusers’rightsrelatingtoelectroniccommunicationsnetworksandservices,Directive2002/58/ECconcerningtheprocessingofpersonaldataandtheprotectionofprivacyintheelectroniccommunicationssectorandRegulation(EC)No2006/2004oncooperationbetweennationalauthoritiesresponsiblefortheenforcementofconsumerprotectionlaws.CouncilDirective(EC)2009/140amendingDirectives2002/21/EConacommonregulatoryframeworkforelectroniccommunicationsnetworksandservices,2002/19/EConaccessto,andinterconnectionof,electroniccommunicationsnetworksandassociatedfacilities,and2002/20/EContheauthorisationofelectroniccommunicationsnetworksandservices[2009]OJL337/37.EuropeanCommission‘ProposalforaRegulationconcerningtheEuropeanNetworkandInformationSecurity’(ProposedRegulation)COM(2010)521final.EuropeanCommission‘ProposalforaRegulationontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata’(ProposedDataProtectionRegulation)COM(2012)11final.EuropeanCommission‘ProposalforaDirectiveoftheEuropeanParliamentandoftheCouncilconcerningmeasurestoensureahighcommonlevelofnetworkandinformationsecurityacrosstheUnion’(ProposedCybersecurityDirective)COM(2013)48final.

Dutchlegislation

Telecommunicatiewet<http://wetten.overheid.nl/BWBR0009950>accessed19June2013.WetOpenbaarheidBestuur<http://wetten.overheid.nl/BWBR0005252>accessed19June2013.

Expertsconsulted

Officialinterviews:

Name Position/InstitutionMr.A.Engelfriet Associate,IT‐RechtMr.R.Prins Founder,FoxITMr.R.Ragetlie Riskmanager,BrabantWaterMr.W.Vrijssen Securitymanager,Vodafone

114

Exploratoryinterviews:

Name Position/InstitutionMr.A.Arnbak PhDcandidate,UniversityofAmsterdamMr.H.Asghari PhDcandidate,TU‐DelftMr.F.Bisogni PhDcandidate,TU‐DelftMr.T.vandenBrink AssociateProfessor,UtrechtUniversityMr.D.vanDuren Policyadvisor,MinistryofSecurityandJusticeMr.B.Eidhof PhDcandidate,UniversityofAmsterdamMs.B.Givens Director,PrivacyRightsClearinghouseMr.J.Leenheer Policyadvisor,NCSCMr.R.Philipse Businessanalyst,GoogleInc.Ms.N.Saanen AssociateProfessor,TU‐DelftMr.B.Rijkhoek Policyadvisor,MinistryofSecurityandJusticeMr.S.Romanosky Researchfellow,CarnegieMellonUniversityMr.H.Verweij Policyadvisor,NCSC

115

AppendixA–Interviewtemplate

Totalduration:60minutes1.Explanationofsubjectandintroduction(5‐10minutes)

● SecurityBreachNotificationLaws(SBNL)○ Dutch,Europeaninitiatieven&Americanlegislation○ Contextoftheinterview:Increaseknowledgeabouteffectsandsupport

ofthedataset.● Goaloftheinterview

○ InsightsoftherespondentsinthefirstandsecondordereffectsofanSBNL

○ Commentsoftherespondentsintheprocedureadheredinthedataset.● Jointgoal:

○ RethinkSBNLsandthebenefitsandnecessityofcurrentlegislation.MainsubjectEffectsofanSBNL(20minutes) Whatconsiderationdoesacompanymaketonotifyofwithholdanotification?WhatdoyouexpectoftheeffectivenessofanSBNL?DoyouexpectmorenotificationsafteranSBNL?Whichvariablesareessentialforthe(firstorder)effectivenessofSBNLs?WhatareimportantcharacteristicsofabreachoracompanythatdetermineeffectivenessofanSBNL?(Forinstancetheseverityofabreach,orthetypeofcompanythatshouldbenotified?)HowwouldyoumeasureeffectivenessofSBNLs?

116

5.Databasespecific(15minutes)GeneralquestionsWhatwouldbetheeffectofhighersanctionsoncompliance?(var.Sanctioningv3;NotAG)Whatwouldbe the effectof confidential treatmentof thenotification suchas theNCSCpractice?(also,privatecauseofaction,not_ag)WhatwouldbetheeffectofthescopeoftheSBNL?‐Representationofresultsfromthestatisticalanalysis‐Representativeness:Howdoyouvalueadatabasethatcontainsbreachesof0,05%oftheU.S.companies?Thecurrentdatasetdisplaysalkindsofnotifications(consumers,thirdpartiesetc.).Howcanwefilterforthesesources?Breachesdonothaveequalsizes?Howcouldwerankbreaches?InkaartbrengenwetWhatwouldbeadecentapproachtomapdifferentcharacteristicsofthelaw?VerbeteringendatasetHowcanwefurtherimproveourdataandgeneratemoredata?

117

Howtheregistrationofdatabeimproved?Other/extra:Howdoesasecuritybreachnotificationfunctionatcompanies?(5minutes)

● Whatdoesitmeanforcompaniestoprocesssecuritybreaches?○ Howdoesthesecuritybreachprocedurefunction?○ Whoisresponsible?○ Whatisthespeedofanotification?

Discusssecondordereffectsfoundinliterature.(5‐10minutes)6.Wrapup,conclusions(5‐10minutes)

● Extraquestions/remarks● Suggestionsfornextsteps,relevantcontacts.

118

AppendixB–ClassificationsoftheAmericanSBNLs

State

Intro‐duction

dateSanctioning

Private_action

Strictness_Romanosky

Scope_law

Not_custcredit

Not_ag

Alabama noSBNL 0 0 0 0 0 0

Alaska 2009 0 1 0 1 1 0

Arizona 2007 0 0 0 0 0 0

Arkansas 2005 0 0 0 1 0 0

California 2003 0 1 1 1 0 1

Colorado 2006 0 0 0 0 1 0

Connecticut 2006 0 0 0 0 0 1

Delaware 2005 0 0 0 0 0 0

Florida 2005 1 0 0 0 1 0

Georgia 2005 0 0 0 1 1 0

Hawaii 2008 0 0 1 0 1 1

Idaho 2006 0 0 0 0 0 1

Illinois 2006 0 0 0 0 0 0

Indiana 2006 1 0 0 0 1 1

Iowa 2008 0 0 0 1 0 0

Kansas 2006 0 0 0 1 1 0

Kentucky noSBNL 0 0 0 0 0 0

Louisiana 2006 1 1 0 0 0 1

Maine 2006 1 0 0 1 1 1

Maryland 2008 0 1 1 1 1 1

Massachusetts 2007 0 1 1 1 1 1

Michigan 2007 1 0 0 0 1 0

Minnesota 2006 0 0 1 0 1 0

Mississippi 2011 0 0 0 0 0 0

Missouri 2009 0 0 0 1 1 1

Montana 2006 0 0 0 0 1 0

Nebraska 2006 0 1 0 1 0 0

Nevada 2005 0 0 0 0 1 0

NewHampshire 2007 0 1 0 1 1 1

NewJersey 2006 0 0 0 1 1 1

NewMexico noSBNL 0 0 0 0 0 0

NewYork 2005 1 0 0 1 1 1

NorthCarolina 2005 0 1 0 1 1 1

NorthDakota 2005 0 0 0 1 0 0

Ohio 2006 1 0 0 1 1 0

Oklahoma 2006 1 0 0 0 0 0

Oregon 2007 1 1 0 1 1 0

Pennsylvania 2006 0 0 0 0 1 0

RhodeIsland 2006 0 0 1 0 0 0

SouthCarolina 2009 1 1 0 1 1 1

SouthDakota noSBNL 0 0 0 0 0 0

Tennessee 2005 0 1 1 0 1 0

119

Texas 2009 1 1 0 1 1 0

Utah 2007 1 0 0 0 0 0

Vermont 2007 0 0 1 1 1 1

Virginia 2008 1 1 1 1 1 1

Washington 2005 0 1 0 0 0 0

WestVirginia 2008 1 0 0 0 1 0

Wisconsin 2007 0 0 0 1 1 0

Wyoming 2007 0 0 0 1 0 0

120

AppendixC–Casesummaries

CaseSummaries Breaches_per_firm Breaches_per_firm_sel

Sanctioning N Mean MedianStd.

Deviation Mean Median Std.Deviation0 2005 9 28,14 33,79 16,276 27,04 28,76 15,859

2006 20 80,60 75,59 47,758 75,13 68,23 42,9722007 26 74,86 67,59 52,219 68,06 59,20 49,9132008 29 54,38 46,40 38,333 44,07 39,56 33,1622009 31 42,51 37,30 35,277 35,74 33,52 27,4572010 31 104,14 98,49 47,084 74,95 64,67 41,3722011 32 103,47 94,97 62,187 53,91 44,14 45,8422012 32 98,50 90,59 54,100 54,51 47,48 41,131

Total 210 78,09 71,74 53,696 55,69 47,71 41,992

1 2005 2 14,77 14,77 10,828 14,77 14,77 10,828

2006 7 71,94 48,79 56,674 65,18 44,14 51,392

2007 10 71,46 77,07 34,234 58,90 53,94 33,320

2008 12 59,89 54,10 25,060 51,17 51,38 25,790

2009 14 50,20 50,86 27,993 42,10 41,47 30,127

2010 14 82,76 91,98 33,940 61,63 64,43 21,441

2011 14 91,14 89,87 29,711 52,10 50,80 29,729

2012 14 98,43 99,15 31,208 56,13 53,42 22,322

Total 87 74,50 74,56 36,900 53,52 53,25 29,766

CaseSummaries

Breaches_per_firm Breaches_per_firm_sel

Strict_Romanosky N Mean MedianStd.

Deviation Mean Median Std.Deviation0 2005 9 22,88 22,42 16,333 22,26 22,42 15,966

2006 23 75,59 71,95 47,353 69,42 64,62 40,9142007 30 71,91 69,17 49,279 62,55 55,63 46,7072008 32 51,85 48,41 32,422 42,39 39,65 29,5652009 36 42,59 35,38 29,205 36,23 32,51 26,490

2010 36 89,52 90,39 42,055 64,24 62,71 34,736

2011 37 88,55 87,32 30,715 44,81 46,99 27,533

2012 37 92,38 95,16 45,286 52,84 51,90 35,395

Total 240 71,71 68,16 43,714 51,08 47,52 35,766

1 2005 2 38,41 38,41 ,737 36,30 36,30 3,713

2006 4 94,28 75,59 64,482 90,55 68,11 66,073

2007 6 83,94 66,94 39,125 80,31 63,52 40,102

2008 9 70,73 77,52 40,649 59,50 64,60 34,246

2009 9 54,16 50,59 46,467 43,70 40,25 35,077

2010 9 129,37 122,17 39,617 97,08 81,45 33,609

2011 9 145,65 122,17 97,002 88,50 65,17 66,674

121

2012 9 123,52 93,79 53,083 63,89 42,49 40,252

Total 57 99,45 92,38 63,858 71,77 64,60 46,211

CaseSummaries Breaches_per_firm Breaches_per_firm_sel

Private_action N Mean MedianStd.

Deviation Mean Median Std.Deviation0 2005 7 24,34 22,42 17,442 23,54 22,42 17,059

2006 21 80,20 71,95 52,429 73,39 64,39 46,948

2007 27 73,58 68,13 52,735 63,78 52,88 50,387

2008 30 49,70 47,31 33,603 38,61 33,43 27,882

2009 31 39,58 34,94 31,803 34,91 31,50 27,382

2010 31 92,85 93,35 44,394 71,17 67,36 36,235

2011 32 95,56 87,03 59,811 49,03 41,01 45,835

2012 32 92,61 82,60 51,080 52,95 49,61 35,223

Total 211 73,27 66,51 51,292 52,79 46,99 40,525

1 2005 4 28,09 33,32 14,920 27,04 31,22 14,126

2006 6 71,89 81,79 39,238 69,63 78,33 38,201

2007 9 74,92 70,11 28,470 70,71 66,83 28,604

2008 11 73,16 77,52 33,369 66,70 62,43 31,053

2009 14 56,69 55,27 33,879 43,94 50,53 29,777

2010 14 107,77 101,05 43,514 70,00 63,50 38,858

2011 14 109,24 112,81 39,339 63,24 64,92 27,141

2012 14 111,88 96,83 38,122 59,68 50,45 39,269

Total 86 86,29 88,88 43,066 60,61 60,39 33,680

CaseSummaries Breaches_per_firm Breaches_per_firm_sel

Scope_law N Mean MedianStd.

Deviation Mean Median Std.Deviation0 2005 5 28,25 38,93 19,699 28,25 38,93 19,699

2006 17 81,00 72,44 51,076 73,41 64,39 45,1032007 21 76,51 66,83 56,041 66,14 53,07 54,1422008 23 54,20 48,22 38,688 42,48 39,56 32,6692009 23 47,32 40,25 36,535 39,52 34,37 31,9262010 22 96,50 86,97 49,694 70,06 63,47 35,1042011 22 93,82 90,39 35,995 44,98 38,11 37,4752012 22 102,90 96,06 45,699 55,51 53,23 26,656Total 155 76,84 71,45 48,688 54,30 47,75 39,239

1 2005 6 23,59 25,59 13,545 21,95 25,29 11,9612006 10 73,87 75,35 48,232 71,09 68,23 45,7812007 15 70,29 70,11 33,436 64,63 70,11 31,886

2008 18 58,29 52,96 29,914 50,83 45,35 29,057

2009 22 42,38 36,56 29,641 35,84 34,23 24,132

2010 23 98,43 100,49 39,305 71,52 67,89 38,807

2011 24 105,13 94,97 67,297 61,04 56,22 43,844

2012 24 94,42 93,09 50,522 54,53 47,49 43,746

Total 142 77,25 74,70 50,207 55,87 51,78 38,383

122

CaseSummaries

Breaches_per_firm Breaches_per_firm_sel

Not_ag N Mean MedianStd.

Deviation Mean Median Std.Deviation0 2005 8 24,21 26,22 18,294 23,51 23,41 17,978

2006 18 80,76 68,53 50,557 74,54 64,51 44,935

2007 24 60,51 61,54 43,341 53,02 48,12 43,589

2008 26 53,23 47,31 33,214 42,85 37,95 29,219

2009 28 39,08 34,67 26,684 33,87 32,51 25,060

2010 28 96,06 94,97 41,505 67,09 63,37 33,380

2011 29 86,28 90,91 30,020 37,50 35,49 25,937

2012 29 92,85 95,16 50,118 54,49 51,90 37,422

Total 190 70,86 66,53 44,525 49,53 46,84 36,023

1 2005 3 29,69 28,76 7,772 28,29 28,76 5,640

2006 9 73,54 78,74 49,029 68,58 67,71 45,969

2007 12 100,73 93,58 45,380 90,51 83,20 40,381

2008 15 60,79 54,06 37,972 51,86 48,60 34,247

2009 17 54,48 49,86 40,587 44,07 36,26 32,354

2010 17 99,85 99,13 49,514 76,92 72,10 41,778

2011 17 122,65 111,52 76,418 80,41 65,17 48,798

2012 17 108,07 93,79 43,718 55,87 39,40 35,103

Total 107 88,01 84,63 55,428 64,86 60,13 41,628

CaseSummaries Breaches_per_firm Breaches_per_firm_sel

Not_custcredit N Mean MedianStd.

Deviation Mean Median Std.Deviation0 2005 5 22,16 18,65 20,170 21,31 18,65 19,424

2006 12 79,02 67,90 62,940 73,00 58,74 56,735

2007 15 65,25 67,05 60,516 54,92 39,07 55,966

2008 16 45,06 43,47 34,451 34,55 38,60 25,380

2009 16 33,17 32,95 23,921 30,11 29,09 25,651

2010 16 100,44 109,18 49,855 72,68 67,75 41,026

2011 17 85,81 86,75 36,591 40,26 35,49 33,801

2012 17 92,26 95,30 61,631 44,50 47,32 33,254

Total 114 69,51 55,69 52,733 47,76 40,77 41,251

1 2005 6 28,66 31,28 12,539 27,72 28,46 12,287

2006 15 77,82 72,44 37,235 72,19 64,62 33,841

2007 21 80,10 68,24 35,778 73,08 66,83 36,155

2008 25 62,99 54,15 33,770 53,57 51,86 32,496

2009 29 51,37 50,59 35,902 41,92 36,14 28,970

2010 29 95,86 87,43 41,572 69,77 64,67 34,692

2011 29 107,88 95,37 61,586 61,04 50,92 43,819

2012 29 102,12 93,79 38,533 61,16 53,25 36,975

 

123    

Total   183   81,73   77,52   46,633   59,59   53,29   36,533  

     

 

124    

Appendix  D  –  Cost  of  compliance  and  non-­‐compliance  

In  section  4.3.1,  the  cost  of  compliance  and  non-­‐compliance  are  estimated  as  follows:  

 This  is  done  by  making  the  following  assumptions.    

 The   cost   of   compliance   in   Michigan   and   the   European   Union   equals   the   reputation  damage.  The  reputation  damage  =  1%  *  market  value  =  1%  *  50  million  dollar  =  500.000  dollar.      The  cost  of  non-­‐compliance  equals  the  expected  value  of  the  sanction  and  the  reputation  damage.   The   sanction   in   the   European   Union   =   2%   *  worldwide   turnover   =   2%   *   10  million   dollar   =   200000   dollar.     The   likelihood   of   ‘getting   caught’   =   Likelihood   of  apprehension   +   likelihood   of   unintended   disclosure   =   10%   +   20%   =   30%.   Thus   the  expected   value   of   the   cost   of   non-­‐compliance   =   likelihood   of   getting   caught   *  (sanctioning  +  reputation  damage).   In   the  European  Union   this  equals  30%  *   (200000  dollar  +  500000  dollar)  =  210000  dollar.  In  Michigan  this  equals  30%  *  (750000  dollar  +  500000  dollar)  =  375000  dollar.        

Expected  cost  of  compliance  and  non-­‐compliance  per  breach  • Cost  of  compliance  (reputational  damage)  

o European  Union:  500000  dollar    o Michigan:  500000  dollar  

• Cost  of  non-­‐compliance  (possible  reputational  damage  and  possible  penalty)  o European  Union:  210000  dollar  o Michigan:  375000  dollar  

• Worldwide  turnover:  10  million  dollar  • Price  to  sales  ratio:  5:1  • Market  value  (worldwide  turnover*price  to  sales  ratio)  =  50  million  dollar    • Likelihood  of  apprehension:  10%  • Likelihood  of  unintended  disclosure:  20%  • Michigan  fine:  750000  dollar  • European  Union  fine:  2%  of  worldwide  turnover.  • Reputation  damage:  1%  loss  of  market  value