ABSTRACT

This chapter addresses the lack of adequate information about the likelihood of various sizes of breaches, and problems with inadequate defenses that we have argued are caused by that lack of information. It proposes that businesses participate in mandatory reporting so that the probability of the occurrence of data breaches and their costs to businesses can be determined. An anonymized summary of the collected information would be shared at least with all mandatory reporters. To aggregate information about the consumer cost of data breaches, the chapter does not propose mandatory reporting by consumers to the government. That would raise significant privacy issues. Instead, the chapter proposes government initiated or government funded research which focuses on consumers who consent to provide their information.