Author(s)
Chirantan Chatterjee and
Daniel Sokol
Source
Chapter in Cambridge Handbook on Compliance, D. Daniel Sokol & Benjamin van Rooij, eds., 2021
Summary
Data breaches affect the breached firm’s stock price. Fines for data breaches are low, and firms may underinvest in security. Litigation following a breach is less likely when firms offer free credit monitoring.
Policy Relevance
Better training and more investment in security is needed to address data breaches.
Main Points
- A data breach is an incident in which someone acquires data containing sensitive information without authorization, causing a reasonable risk of its misuse.
- Data breaches decrease the market value of the breached firm's stock when the breach is announced, but the effect diminishes over time; few consumers stop dealing with a firm even after a data breach.
- Information technology security developers often enjoy gains in stock market value within days of the announcement of a breach; however, breaches involving a high number of records will lower the stock price of information technology consulting firms, perhaps because of reputational harm.
- Cyberattacks are typically aided by insiders, but their assistance is unintentional; therefore, methods of detection that work for fraud will not work well for data breaches.
- Firms offer less cyber security training than other forms of risk management.
- Training focusses too much on hackers and not enough on compliance after a breach.
- Fines for data breaches in the United States and Europe are low compared to other offenses; low levels of fines may lead to under-investment in security.
- Courts struggle to conceptualize data breach harms because of the need to show a causal link between the breach and an actual harmful economic impact directly related to the breach.
- Lawsuits are more likely to arise from a data breach when the individual consumer suffers financial harm, and lower when the breached firm offers free credit monitoring.
- Future studies should consider the following:
- The long-term impact of data breaches, including the costs of repairs, litigation costs, loss of customers and reputation, and effects on stock price.
- The effect of data breaches on government agencies and nonprofits.
- Data security issues related to the Internet of Things.