Privacy Breaches and the Effect of Customer Notification

Jeong-Bon KIM; Chong WANG; Feng Harry WU

doi:10.25300/MISQ/2024/17540

Privacy Breaches and the Effect of Customer Notification

Jeong-Bon KIM, Chong WANG, Feng Harry WU

Department of Accountancy

Research output: Journal Publications › Journal Article (refereed) › peer-review

Abstract

Laws requiring firms to disclose privacy breaches to their customers have been adopted extensively worldwide. However, the manner in which these laws affect the security protection behavior of firms disclosing a data breach is poorly understood. To shed light on this issue, we leveraged institutional theory and examined how U.S. state data breach notification laws (DBNLs), under which firms must notify customers of personal information breaches, influenced firm-level incidence of security breaches and how such influence manifested heterogeneously across firms. Exploiting the staggered enactments of DBNLs in a difference-in-differences analysis, we found that firms experienced a significant reduction in data breach incidents after the implementation of DBNLs. This effect was more pronounced among firms that were more reliant on sensitive customer data, operated in stricter privacy protection environments, or held more intangible and digital assets. We document evidence that compared to firms not subject to DBNLs, firms subject to these laws are more likely to appoint IT-specialized executives and remediate IT-related internal control weaknesses, which suggests potential channels that may facilitate DBNLs’ curbing of data breaches. We also found that the reduction in breach incidences following DBNL-mandated disclosure policies relates to both endogenous breaches and exogenous cyberattacks.

Original language	English
Pages (from-to)	1483-1502
Number of pages	20
Journal	MIS Quarterly: Management Information Systems
Volume	48
Issue number	4
Early online date	11 Jul 2024
DOIs	https://doi.org/10.25300/MISQ/2024/17540
Publication status	Published - Dec 2024

Bibliographical note

The authors thank James Thong (Senior Editor), an anonymous Associate Editor, and three anonymous reviewers for their extremely constructive comments. We also appreciate helpful feedbacks from Aurelius Aaron, Xiaoqi Chen, June Cheng, Jimmy Jin, Jungmin Kim, Gang Li, Jeffery Ng, Walid Saffar, Nancy Su, Lisa Sun, John Wei, Qiang Wu, Lei Yang, Weihuan Zhai, Shaojun Zhang, Jing Zhao, and seminar participants at Hong Kong Polytechnic University and workshop participants at the University of International Business and Economics. Chong Wang acknowledges support from Hong Kong Polytechnic University and the and Feng (Harry) Wu acknowledges support from Lingnan University.

Funding

National Natural Science Foundation of China [Grant 71932003]

Keywords

Data breach notification laws
data breaches
difference-in-differences
institutional theory

Access to Document

10.25300/MISQ/2024/17540

Cite this

@article{b602ccbfce3e448e998c66d37719ee2e,

title = "Privacy Breaches and the Effect of Customer Notification",

abstract = "Laws requiring firms to disclose privacy breaches to their customers have been adopted extensively worldwide. However, the manner in which these laws affect the security protection behavior of firms disclosing a data breach is poorly understood. To shed light on this issue, we leveraged institutional theory and examined how U.S. state data breach notification laws (DBNLs), under which firms must notify customers of personal information breaches, influenced firm-level incidence of security breaches and how such influence manifested heterogeneously across firms. Exploiting the staggered enactments of DBNLs in a difference-in-differences analysis, we found that firms experienced a significant reduction in data breach incidents after the implementation of DBNLs. This effect was more pronounced among firms that were more reliant on sensitive customer data, operated in stricter privacy protection environments, or held more intangible and digital assets. We document evidence that compared to firms not subject to DBNLs, firms subject to these laws are more likely to appoint IT-specialized executives and remediate IT-related internal control weaknesses, which suggests potential channels that may facilitate DBNLs{\textquoteright} curbing of data breaches. We also found that the reduction in breach incidences following DBNL-mandated disclosure policies relates to both endogenous breaches and exogenous cyberattacks.",

keywords = "Data breach notification laws, data breaches, difference-in-differences, institutional theory",

author = "Jeong-Bon KIM and Chong WANG and WU, {Feng Harry}",

note = "The authors thank James Thong (Senior Editor), an anonymous Associate Editor, and three anonymous reviewers for their extremely constructive comments. We also appreciate helpful feedbacks from Aurelius Aaron, Xiaoqi Chen, June Cheng, Jimmy Jin, Jungmin Kim, Gang Li, Jeffery Ng, Walid Saffar, Nancy Su, Lisa Sun, John Wei, Qiang Wu, Lei Yang, Weihuan Zhai, Shaojun Zhang, Jing Zhao, and seminar participants at Hong Kong Polytechnic University and workshop participants at the University of International Business and Economics. Chong Wang acknowledges support from Hong Kong Polytechnic University and the and Feng (Harry) Wu acknowledges support from Lingnan University.",

year = "2024",

month = dec,

doi = "10.25300/MISQ/2024/17540",

language = "English",

volume = "48",

pages = "1483--1502",

journal = "MIS Quarterly: Management Information Systems",

issn = "0276-7783",

publisher = "Management Information Systems Research Center",

number = "4",

}

TY - JOUR

T1 - Privacy Breaches and the Effect of Customer Notification

AU - KIM, Jeong-Bon

AU - WANG, Chong

AU - WU, Feng Harry

N1 - The authors thank James Thong (Senior Editor), an anonymous Associate Editor, and three anonymous reviewers for their extremely constructive comments. We also appreciate helpful feedbacks from Aurelius Aaron, Xiaoqi Chen, June Cheng, Jimmy Jin, Jungmin Kim, Gang Li, Jeffery Ng, Walid Saffar, Nancy Su, Lisa Sun, John Wei, Qiang Wu, Lei Yang, Weihuan Zhai, Shaojun Zhang, Jing Zhao, and seminar participants at Hong Kong Polytechnic University and workshop participants at the University of International Business and Economics. Chong Wang acknowledges support from Hong Kong Polytechnic University and the and Feng (Harry) Wu acknowledges support from Lingnan University.

PY - 2024/12

Y1 - 2024/12

N2 - Laws requiring firms to disclose privacy breaches to their customers have been adopted extensively worldwide. However, the manner in which these laws affect the security protection behavior of firms disclosing a data breach is poorly understood. To shed light on this issue, we leveraged institutional theory and examined how U.S. state data breach notification laws (DBNLs), under which firms must notify customers of personal information breaches, influenced firm-level incidence of security breaches and how such influence manifested heterogeneously across firms. Exploiting the staggered enactments of DBNLs in a difference-in-differences analysis, we found that firms experienced a significant reduction in data breach incidents after the implementation of DBNLs. This effect was more pronounced among firms that were more reliant on sensitive customer data, operated in stricter privacy protection environments, or held more intangible and digital assets. We document evidence that compared to firms not subject to DBNLs, firms subject to these laws are more likely to appoint IT-specialized executives and remediate IT-related internal control weaknesses, which suggests potential channels that may facilitate DBNLs’ curbing of data breaches. We also found that the reduction in breach incidences following DBNL-mandated disclosure policies relates to both endogenous breaches and exogenous cyberattacks.

AB - Laws requiring firms to disclose privacy breaches to their customers have been adopted extensively worldwide. However, the manner in which these laws affect the security protection behavior of firms disclosing a data breach is poorly understood. To shed light on this issue, we leveraged institutional theory and examined how U.S. state data breach notification laws (DBNLs), under which firms must notify customers of personal information breaches, influenced firm-level incidence of security breaches and how such influence manifested heterogeneously across firms. Exploiting the staggered enactments of DBNLs in a difference-in-differences analysis, we found that firms experienced a significant reduction in data breach incidents after the implementation of DBNLs. This effect was more pronounced among firms that were more reliant on sensitive customer data, operated in stricter privacy protection environments, or held more intangible and digital assets. We document evidence that compared to firms not subject to DBNLs, firms subject to these laws are more likely to appoint IT-specialized executives and remediate IT-related internal control weaknesses, which suggests potential channels that may facilitate DBNLs’ curbing of data breaches. We also found that the reduction in breach incidences following DBNL-mandated disclosure policies relates to both endogenous breaches and exogenous cyberattacks.

KW - Data breach notification laws

KW - data breaches

KW - difference-in-differences

KW - institutional theory

UR - http://www.scopus.com/inward/record.url?scp=85210999263&partnerID=8YFLogxK

U2 - 10.25300/MISQ/2024/17540

DO - 10.25300/MISQ/2024/17540

M3 - Journal Article (refereed)

SN - 0276-7783

VL - 48

SP - 1483

EP - 1502

JO - MIS Quarterly: Management Information Systems

JF - MIS Quarterly: Management Information Systems

IS - 4

ER -

Privacy Breaches and the Effect of Customer Notification

Abstract

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this