Abstract
Laws requiring firms to disclose privacy breaches to their customers have been adopted extensively worldwide. However, the manner in which these laws affect the security protection behavior of disclosing firms is poorly understood. To shed light on this issue, we leverage institutional theory and examine how the data breach notification laws (DBNLs) across the states of the U.S., under which firms must notify customers of personal information breaches, influence firm-level incidence of security breakage and how such influences manifest heterogeneously across firms. Exploiting the staggered enactments of DBNLs in a difference-in-differences analysis, we find that firms experience a significant reduction in data breach incidents after DBNLs. This effect is more pronounced when firms rely more on sensitive customer data, operate in stricter privacy protection environments, and hold more intangible and digital assets. We document evidence that, compared to non-subject firms, DBNL-subject firms are more likely to appoint IT-specialized executives and remediate IT-related internal control weaknesses, which suggests potential channels that may facilitate DBNLs’ curbing of data breaches. We also find that the reduction in breach incidence after DBNL-mandated disclosure relates to both endogenous breaches and exogenous cyberattacks.
Original language | English |
---|---|
Journal | MIS Quarterly |
Early online date | 11 Jul 2024 |
DOIs | |
Publication status | E-pub ahead of print - 11 Jul 2024 |
Bibliographical note
The authors thank James Thong (Senior Editor), an anonymous Associate Editor, and three anonymous reviewers for their extremely constructive comments. We also appreciate helpful feedbacks from Aurelius Aaron, Xiaoqi Chen, June Cheng, Jimmy Jin, Jungmin Kim, Gang Li, Jeffery Ng, Walid Saffar, Nancy Su, LisaSun, John Wei, Qiang Wu, Lei Yang, Weihuan Zhai, Shaojun Zhang, Jing Zhao, and seminar participants at Hong Kong Polytechnic University and workshop participants at the University of International Business and Economics. Chong Wang acknowledges support from Hong Kong Polytechnic University and the National Natural Science Foundation of China [Grant 71932003] and Feng (Harry) Wu acknowledges support from Lingnan University.
Keywords
- Data breach notification laws
- data breaches
- institutional theory
- difference-in-difference