Data Security, Data Breaches, and Compliance

Article Source: Chapter in Cambridge Handbook on Compliance, D. Daniel Sokol & Benjamin van Rooij, eds., 2021
Publication Date:
Time to Read: 2 minute read
Written By:

 Chirantan Chatterjee

Chirantan Chatterjee

Search for the full article on Bing



Data breaches affect the breached firm’s stock price. Fines for data breaches are low, and firms may underinvest in security. Litigation following a breach is less likely when firms offer free credit monitoring.


Policy Relevance:

Better training and more investment in security is needed to address data breaches.


Key Takeaways:
  • A data breach is an incident in which someone acquires data containing sensitive information without authorization, causing a reasonable risk of its misuse.
  • Data breaches decrease the market value of the breached firm's stock when the breach is announced, but the effect diminishes over time; few consumers stop dealing with a firm even after a data breach.
  • Information technology security developers often enjoy gains in stock market value within days of the announcement of a breach; however, breaches involving a high number of records will lower the stock price of information technology consulting firms, perhaps because of reputational harm.
  • Cyberattacks are typically aided by insiders, but their assistance is unintentional; therefore, methods of detection that work for fraud will not work well for data breaches.
    • Firms offer less cyber security training than other forms of risk management.
    • Training focusses too much on hackers and not enough on compliance after a breach.
  • Fines for data breaches in the United States and Europe are low compared to other offenses; low levels of fines may lead to under-investment in security.
  • Courts struggle to conceptualize data breach harms because of the need to show a causal link between the breach and an actual harmful economic impact directly related to the breach.
  • Lawsuits are more likely to arise from a data breach when the individual consumer suffers financial harm, and lower when the breached firm offers free credit monitoring.
  • Future studies should consider the following:
    • The long-term impact of data breaches, including the costs of repairs, litigation costs, loss of customers and reputation, and effects on stock price.
    • The effect of data breaches on government agencies and nonprofits.
    • Data security issues related to the Internet of Things.



Daniel Sokol

About Daniel Sokol

D. Daniel Sokol is the Carolyn Craig Franklin Chair in Law and Business at the USC Gould School of Law and an Affiliate Professor of Business at the Marshall School of Business, where he teaches in the marketing department. He serves as faculty director of the Center for Transnational Law and Business and the co-director of the USC Marshall Initiative on Digital Competition.