Privacy Breaches and the Effect of Customer Notification

Jeong-Bon KIM, Chong WANG, Feng Harry WU

Research output: Journal PublicationsJournal Article (refereed)peer-review

Abstract

Laws requiring firms to disclose privacy breaches to their customers have been adopted extensively worldwide. However, the manner in which these laws affect the security protection behavior of disclosing firms is poorly understood. To shed light on this issue, we leverage institutional theory and examine how the data breach notification laws (DBNLs) across the states of the U.S., under which firms must notify customers of personal information breaches, influence firm-level incidence of security breakage and how such influences manifest heterogeneously across firms. Exploiting the staggered enactments of DBNLs in a difference-in-differences analysis, we find that firms experience a significant reduction in data breach incidents after DBNLs. This effect is more pronounced when firms rely more on sensitive customer data, operate in stricter privacy protection environments, and hold more intangible and digital assets. We document evidence that, compared to non-subject firms, DBNL-subject firms are more likely to appoint IT-specialized executives and remediate IT-related internal control weaknesses, which suggests potential channels that may facilitate DBNLs’ curbing of data breaches. We also find that the reduction in breach incidence after DBNL-mandated disclosure relates to both endogenous breaches and exogenous cyberattacks.
Original languageEnglish
JournalMIS Quarterly
Early online date11 Jul 2024
DOIs
Publication statusE-pub ahead of print - 11 Jul 2024

Bibliographical note

The authors thank James Thong (Senior Editor), an anonymous Associate Editor, and three anonymous reviewers for their extremely constructive comments. We also appreciate helpful feedbacks from Aurelius Aaron, Xiaoqi Chen, June Cheng, Jimmy Jin, Jungmin Kim, Gang Li, Jeffery Ng, Walid Saffar, Nancy Su, Lisa
Sun, John Wei, Qiang Wu, Lei Yang, Weihuan Zhai, Shaojun Zhang, Jing Zhao, and seminar participants at Hong Kong Polytechnic University and workshop participants at the University of International Business and Economics. Chong Wang acknowledges support from Hong Kong Polytechnic University and the National Natural Science Foundation of China [Grant 71932003] and Feng (Harry) Wu acknowledges support from Lingnan University.

Keywords

  • Data breach notification laws
  • data breaches
  • institutional theory
  • difference-in-difference

Fingerprint

Dive into the research topics of 'Privacy Breaches and the Effect of Customer Notification'. Together they form a unique fingerprint.

Cite this