Notifications of data subjects and data protection authorities in the case of specific forms of data security breaches are now mandated under the EU GDPR and all U.S. states. These laws are applauded as enhancing the rights of individuals and policing entities amassing personal data. The laws feature multiple notification requirements. They are joined by additional forms of regulations which pertain to security-related contexts and communications. Yet implementing and enforcing these rights is not without costs or consequences. Therefore, we must critically assess: what are these rules good for and how might they be improved? The panel will address the benefits, utility and costs of these regulatory requirements to individuals and organizations. It will also examine the challenges they create for regulators. After doing so, it will try to balance the related factors and consider whether there are innovative alternatives. In view of this background, the panel will consider questions such as the following:
• Under what conditions could notification policy promote cybersecurity investment?
• What, if anything, can be learned from other regulatory fields (e.g. environmental law, NIS Directive) that employ notification regimes to achieve regulatory ends?
• Will reporting fatigue substantially impact the effectiveness of notification schemes?
• How are DPAs implementing these new requirements?