The UMBC Cyber Defense Lab presents
The Effects of Privacy Regulation on the Market for Stolen Data
Dr. Anderson Frailey, Economics Department, UMBC
12-1 pm ET Friday, April 24, 2026; online
Individuals are constantly generating streams of data collected by businesses, educational institutions, data brokers, and many other organizations. These organizations are regularly targeted by cyber criminals attempting to steal that data to exploit or sell it in online markets. I propose a model of the stolen data economy to show how privacy regulations may affect this market. I then introduce a novel dataset of data breaches to study the effects of the European Union's General Data Protection Regulation (GDPR) on the quantity of data available in the illicit market. Using a difference-in-differences design, I find that the GDPR caused a 60 percent reduction in the number of data breaches traded, but no reduction in the aggregate amount of data available. At the individual breach level, I find an over 60 percent increase in the amount of data they contain. These results are consistent with the model’s prediction that higher-value targets will make up a larger portion of post-GDPR data breaches due to changes in their relative value.
Dr. Anderson Frailey is an Assistant Professor in the Department of Economics at UMBC. He received his PhD and MA in economics from the University of Virginia and his BA in economics from the University of Texas at Austin. His research focuses on the economics of privacy, information, and cybercrime. Occasionally, he will also dabble in baseball analytics.
Support for this event was provided in part by the NSF under SFS grants DGE-1753681 and 2438185. Host: Dr. Alan T. Sherman, sherman@umbc.edu