The legislation has had a positive effect on security, according to Deirdre Mulligan, clinical professor of law at the UC Berkeley School of Law.
She told silicon.com: “I believe that the law has heightened the attention paid to information security. The initial impact of the law was likely to make incidents public but the lasting effect should be to reduce the number and severity of breaches by creating incentives to invest in security.”
Mulligan said her research had shown that security breaches drive information exchange among security professionals – for example some chief security officers summarised news reports from breaches at other organisations and circulated them to staff with ‘lessons learned’ from each incident.
She said: “The goal of the law was to improve security practices, not provide notices. Research and anecdote both suggest that it has improved practices along many dimensions. As practices improve, notices should decrease.”
Some organisations have a ‘that could have been us’ moment and patch systems with similar vulnerabilities to the organisation that had a breach. The introduction of the legislation has meant an improved focus on security and better information about costs of failure, which allows for sounder investments, she added.