On the evolution of data breach reporting patterns and frequency in the United States: a cross-state analysis
Benjamin Avanzi, Xingyun Tan, Greg Taylor, Bernard Wong
TL;DR
This study harmonizes data breach frequency analysis by using eight U.S. states’ state Attorney General disclosures, which are mandated under state data breach notification laws and include reporting delays. It deploys a cross-classified over-dispersed Poisson framework with Generalised Additive Models to model quarterly run-off triangles, estimate IBNR breaches, and disentangle development, accident, and calendar effects. The analysis reveals a lengthening delay between breach occurrence and reporting, similar frequency trends across states, and a notable break in 2020Q1, with smaller breaches growing more volatile than larger ones. The findings have direct implications for cyber insurance pricing, reserving, and capital planning, highlighting the need to account for varying reporting propensities and breach severities in risk assessment. Overall, the paper provides a robust, state-level perspective on cyber breach frequency that complements national datasets and informs insurer decision-making in a rapidly evolving risk landscape.
Abstract
Understanding the emergence of data breaches is crucial for cyber insurance. However, analyses of data breach frequency trends in the current literature lead to contradictory conclusions. We put forward that those discrepancies may be (at least partially) due to inconsistent data collection standards, as well as reporting patterns, over time and space. We set out to carefully control both. In this paper, we conduct a joint analysis of state Attorneys General's publications on data breaches across eight states (namely, California, Delaware, Indiana, Maine, Montana, North Dakota, Oregon, and Washington), all of which are subject to established data collection standards-namely, state data breach (mandatory) notification laws. Thanks to our explicit recognition of these notification laws, we are capable of modelling frequency of breaches in a consistent and comparable way over time. Hence, we are able to isolate and capture the complexities of reporting patterns, adequately estimate IBNRs, and yield a highly reliable assessment of historical frequency trends in data breaches. Our analysis also provides a comprehensive comparison of data breach frequency across the eight U.S. states, extending knowledge on state-specific differences in cyber risk, which has not been extensively discussed in the current literature. Furthermore, we uncover novel features not previously discussed in the literature, such as differences in cyber risk frequency trends between large and small data breaches. Overall, we find that the reporting delays are lengthening. We also elicit commonalities and heterogeneities in reporting patterns across states, severity levels, and time periods. After adequately estimating IBNRs, we find that frequency is relatively stable before 2020 and increasing after 2020. This is consistent across states. Implications of our findings for cyber insurance are discussed.