The types of data that States require companies and state and local agencies to protect as personal information, and each States’ reporting requirements are useful variables for researchers to leverage when reviewing breaches holistically.
For example: a government’s emphasis on protecting the information can have a clear implication on a given population’s vulnerability. States with more panoptic laws could be more likely to put an emphasis on cyber-awareness and education, resulting, again, in a less vulnerable population.
Leveraging each States’ breach notification requirements, social science researchers could identify ethical loopholes in the laws which could allow companies and government agencies to get away with compromising a person’s information. For example: if a certain number of files must be compromised to call it a “breach”, this could encourage compilation of data to reduce numbers of files, reducing a company’s culpability to its consumers.