BNA on Mandatory Disclosure Laws

BNA (registration required) runs an article recapping state-level activity on mandatory security breach notification laws. Seven states (Arkansas, California, Georgia, Indiana, Montana, North Dakota, and Washington) have adopted laws, and Florida is expected to join this list soon. The laws are not intrinsically inconsistent but each has their own nuances, increasing the regulatory costs for any affected organization. It seems likely to me that the state laws will continue to proliferate until Congress preempts the field with its own mandatory disclosure law.

However, I remain curious whether these mandatory disclosure laws are good social policy. We now have some data on the California experience (plus the follow-on disclosures made voluntarily by companies). Have these disclosures made consumers better off? I’ve argued before that these laws may actually hurt consumers by increasing their level of distress without giving the consumers any ability to address the situation. Meanwhile, due to the press attention given to each notification, the mandatory disclosure laws have led to increased calls for new substantive data protection/security laws–for better or worse.