2023 Australasian Actuarial Education and Research Symposium

Xingyun Tan

University of Melbourne

Analysing reporting patterns and frequency of data breaches published by state Attorneys General in the United States

This is joint work with Benjamin Avanzi, Greg Taylor, Bernard Wong

We study data breach notifications and investigate breach frequency by state and severity of the breach in the United States. We identify how breaches are notified over time, and discuss how to project breaches that have incurred but have not been reported yet. We utilise a set of public data provided by state Attorneys General that contains dates of occurrence and recent breaches, which are not included in the most widely used public dataset provided by the Privacy Rights Clearinghouse (PRC). We introduce this data set and compare it with the PRC dataset for cyber researchers to understand their disparities and better use these resources to obtain cyber insurance insights. We implement a new event definition that provides insight into the true impact of data breaches and allows for managing cyber insurance at portfolio level. Our analysis provides important insights. The reporting patterns vary significantly across different time periods and breach sizes, and the average delay between occurrence and reporting has increased across states. The data breach frequency is relatively stable before 2020 but increases subsequently across states. Although the reporting patterns vary across states, states exhibit similarities in frequency trends, the timing of change in reporting patterns, and trends in the average delay.