The Impact of Federal and State Notification Laws on Security Breach Announcements

Firms are under increasing regulatory pressures to protect consumers’ confidential information. The focus of this article is to examine the impact of federal and state breach notification laws in coaxing organizations to improve security of customers’ confidential information. Specifically, we use event-study methodology to examine the impact of security breach announcements on the market value of firms during the period before and after the enactment of this legislation. Our results show that the negative impacts of security breach announcements on stock prices have been reduced significantly after the enactment of federal and state security breach notification laws

The Impact of GDPR Infringement Fines on the Market Value of Firms

Previous studies have shown (varying degrees of) evidence of a negative impact of data breach announcements on the share price of publicly listed companies. Following on from this research, further studies have been carried out in assessing the economic impact of the introduction of legislation in this area to encourage firms to invest in cyber security and protect the privacy of data subjects. Existing research has been predominantly US-centric. This paper looks at the impact of the General Data Protection Regulation (GDPR) infringement fine announcements on the market value of mostly European publicly listed companies with a view to reinforcing the importance of data privacy compliance, thereby informing cyber security investment strategies for organisations. Using event study techniques, a dataset of 25 GDPR fine announcement events was analysed, and statistically significant cumulative abnormal returns (CAR) of around-1% on average up to three days after the event were identified. In almost all cases, this negative economic impact on market value far outweighed the monetary value of the fine itself, and relatively minor fines could result in major market valuation losses for companies, even those having large market capitalisations. A further dataset of four announcements where sizeable GDPR fines were subsequently appealed was also analysed and although positive returns for successful appeals were observed (and the reverse), they could not be shown to be statistically significant-perhaps due, at least in part, to COVID-19 related market volatility at that time. This research would be of benefit to business management, practitioners of cyber security, investors and shareholders as well as researchers in cyber security or related fields (pointers to future research are given). Data protection authorities may also find this work of interest

The impact of data security on firm value : how do stock markets react to data breach announcements?

Far too often, data security concerns are not taken as seriously as they should be. This negligent behavior does not seldom result in data breaches with far reaching economic consequences. This paper demonstrates that there is an observable decline in firm value following a data breach announcement, applying an event study methodology to a sample of 366 firms being subject to data breaches between January 2013 to July 2018. Using a onefactor and a three-factor model to estimate abnormal returns, firms experiencing a data breach lost on average about 1.33 percent of equity over a three-day window around the event. For different industries, deviations in the magnitude of negative market reactions are detected. Various company and incident related variables, such as company size and number of customer records exposed are deployed in regression analyses to account for cross-sectional variations in abnormal returns. Profitability has a positive influence on the abnormal returns obtained. Multiple breaches have a negative impact on the abnormal equity returns, however, there is no significant difference in the severity when compared to single breaches. Other factors, namely company size, leverage, magnitude of the breach and type of breach do not have any statistically significant influence on the market reactions observed.Frequentemente, as preocupações em torno da segurança dos dados não são levadas tão a sério quanto deveriam. Este comportamento negligente resulta, não raramente, em violações de dados com consequências económicas profundas. Este artigo demonstra um declínio observável no valor das empresas após o anúncio de uma violação de dados, aplicando uma metodologia de estudo de eventos a uma amostra de 366 empresas sujeitas a violações de dados entre janeiro de 2013 e julho de 2018. Utilizando um modelo de um fator e de três fatores para estimar retornos anormais, as empresas que sofreram violações de dados perderam, em média, aproximadamente 1,33 por centro do património líquido num período de três dias a contar do evento. Para diferentes indústrias, são detetados desvios na magnitude das reações negativas ao mercado. Várias variáveis relacionadas com a empresa e com incidentes, tais como o tamanho da empresa e o número de registos de clientes expostos são incorporadas em análises de regressão para contabilizar as variações transversais nos retornos anormais. A rentabilidade tem uma influência positiva nos retornos anormais obtidos. Múltiplas violações têm um impacto negativo nos retornos anormais do património líquido, no entanto, não há diferenças significativas na gravidade quando comparadas com violações individuais. Outros fatores, nomeadamente o tamanho da empresa, alavancagem, a magnitude e o tipo de violação não possuem qualquer influência estatisticamente significativa nas reações de mercado observadas

Protecting the Brand: Evaluating the Cost of Security Breach from a Marketer’s Perspective

Cyberattacks have increased over the years both at the individual and firm level. Yet, the organizational budgets directed toward information security remains low. One reason is that the ramifications of information breach, such as increased consumer perception of risk and brand equity erosion remain, to the senior executives and board of directors in organizations, almost invisible. The second reason is that managers are required to justify budgets. The cost of system breach is often difficult to quantify. There are direct and enduring costs of information breach. As such, it has implications that impact not just the downtime during a data breach but loss of customers, trust, loyalty and brand equity, all of great concern to marketing managers. This paper analyzes the impact of a breach announcement on the market valuation of the company. Such an analysis using the event study methodology provides a clear indication of how the market reacts to the firm’s breach in information. The results of the study indicate that the market punishes the firm with a small but significant negative abnormal return on the announcement of the breach, and this trend persists. This result, together with the indirect or enduring costs related to brand erosion, provides a good justification to senior executives for protecting the integrity of information, and by so doing, protecting the equity of the brand

To Notify or Not to Notify?:Do Organizations Comply with U.S. Data Breach Notification Laws? An Empirical Study

Data Breach Notification Laws (DBNLs) oblige organizations to notify personal data breaches. In theory, DBNLs mitigate damage after a data breach and incentivize companies to invest in information security. The regulatory enforcement of the DBNL is based on deterrence, because penalties are imposed, varying from $1,000 to$750,000 between states. It is uncertain whether DBNLs are deterrent enough to prevent organizations from concealing data breaches, especially because organizations suffer reputational costs from a notification. This study empirically tests compliance, by relating the adoption and characteristics of different U.S. DBNLs to actual observed data breach notifications based on the privacy breach clearinghouse dataset (2005-2012). After the adoption of the law, a 50% increase of notifications is observed. But, the absolute number of notifications is low, merely 0.05% of the U.S. companies notified. This indicates low compliance, possibly caused by high costs of notifying and low costs of concealing a notification. Unexpectedly, higher sanctions did not have an effect, but limited commensurability of the different sanctioning regimes prohibits a permanent statement. This paper recommends enhancing DBNLs by increasing both the benefits of notifying and deterrence. Benefits are increased by incorporating rewards for good behavior by assisting companies in mitigating damage and continuously reward companies that are compliant by sharing knowledge about threats. Deterrence is increased by higher penalties and more stringent enforcement

The Impact of Data Breach Announcements on Company Value in European Markets

Recent research on the economic impact of data breach announcements on publicly listed companies was found to be sparse, with the majority of existing studies having a strong US bias. Here, a dataset of 45 data breach disclosures between 2017 and 2019 relevant to European publicly listed companies was hand-gathered (from various sources) and detailed analyses of share price impact carried out using event study techniques with the aim of supporting business cases for firms to invest in cyber security. Differences from existing studies (in particular, the US market) are highlighted and discussed along with pointers to future research in this area. Although some evidence of negative cumulative abnormal returns (CAR) in the days surrounding the announcement were observed, along with one extreme case leading to insolvency, the results were not statistically significant overall with the notable exception of the Spanish market, which appeared to be more sensitive to data breaches, reacting rapidly. Therefore, justification for cyber security investment purely based on the market value effect of a data breach disclosure would be challenging. Other factors would need to be taken into consideration such as risk appetite, industry sector and nature of the information compromised as well as relevant legislation. Certain other observations were noted such as the lack of a comprehensive breach database for Europe (unlike US) and the effect of the introduction of the General Data Protection Regulation (GDPR). This research would be of benefit to business management, practitioners of cyber security, investors and shareholders as well as researchers in cyber security or related fields

Should You Disclose a Data Breach via Social Media? Evidence from US Listed Companies

Data breaches represent one of the main concerns for executives across all sectors. Data breaches open a period of crisis for the affected firm and require them to disclose complex information to a variety of stakeholders in a timely and proper manner. This paper investigates the relationship between social media disclosure of a data breach and its cost, as proxied by the response of the affected firm’s stock price. Using an event study methodology on a sample of 32 data breaches from 29 US publicly-traded firms from 2011 to 2014, we find that social media disclosure exacerbates the negative stock price’ s response to the announcement. However, such a negative association is contingent on firm’s visibility on traditional media with social media disclosure having a beneficial effect for low-visibility companies

Encryption and the Loss of Patient Data

Fast-paced IT advances have made it increasingly possible and useful for firms to collect data on their customers on an unprecedented scale. One downside of this is that firms can experience negative publicity and financial damage if their data are breached. This is particularly the case in the medical sector, where we find empirical evidence that increased digitization of patient data is associated with more data breaches. The encryption of customer data is often presented as a potential solution, because encryption acts as a disincentive for potential malicious hackers, and can minimize the risk of breached data being put to malicious use. However, encryption both requires careful data management policies to be successful and does not ward off the insider threat. Indeed, we find no empirical evidence of a decrease in publicized instances of data loss associated with the use of encryption. Instead, there are actually increases in the cases of publicized data loss due to internal fraud or loss of computer equipment.National Science Foundation (U.S.) (Grant 1053398

On the economic impact of information security announcements: an event study analysis

This research is concerned with the economic impact of information security events both unfavourable (data breaches and GDPR infringement fines) and favourable (CISO appointment announcements). Literature in this area was found to be sparse and with a strong US bias, therefore this study focusses on UK and European markets. Using event study methodology, the impact on share price of a hand-gathered (due to lack of a comprehensive breach database for Europe) dataset of 45 data breach announcements concerning UK/European publicly listed companies was analysed and only weak evidence was found of a negative impact overall, although the Spanish market showed a greater reaction. Regarding GDPR infringement fine announcements (25 examples), statistically significant CARs of -1% on average were observed over a three-day period. Spanish and Romanian markets were shown to be particularly reactive. Such a loss in market capitalisation was, in almost all cases, much greater than the monetary value of the fine itself, actually ca. 29,000 times greater on average. Announcements of CISO type role appointments (37 examples) showed an uplift in share price of around 0.8% on average over a three-day period before, during and after the announcement. The financial services sector was found to respond more positively (+1.8%) with statistical significance at the 1% level. As well as highlighting the benefits of transparency by publicly listed firms and disclosure regulations in early-adopter nations such as the US, the results of these studies should encourage firms to improve their cyber security postures overall to emulate highly regulated sectors such as financial services. A review of security investment strategies is also included for convenience, as well as pointers for future research. This research would be of benefit to business management, practitioners of cybersecurity, investors and shareholders, policy makers as well as researchers in cyber security or related fields