Privacy and cybercrime law in the United States typically focuses on disclosure and deter-
rence by denial, but obtaining evidence about this regime's ecacy has eluded policymakers
and researchers. This dissertation evaluates various pieces of U.S. data protection law, and
oers data-driven approaches to longstanding questions in the literature. Chapter 2 reframes
cybercrime from a causal question to a predictive one, and presents a machine learning model
that predicts which publicly traded companies are likely to suer data breaches. Chapter
3 examines state data breach notication laws, the primary mechanism for responding to
data breaches in the U.S., and oers evidence about their eect on medical identity theft
rates. Chapter 4 looks at how governments, intellectual property owners, and technology
companies police cybercrime by disrupting cybercriminals' access to intermediaries. Taken
together, the three chapters suggest a path forward for researching and evaluating cybercrime
policy in a data-driven manner.