Revisiting the (disappearing) cost of data breach disclosures

Abstract

Purpose The detrimental impact of data breaches on organizations and their customers has been well documented in the literature. These breaches expose sensitive information, raising concerns about reputational damage and substantial financial losses for affected firms. Prior research has consistently demonstrated the significant financial repercussions of data breach disclosures, with a significant decline in the market value of breached firms following the incident’s revelation. However, recent literature has documented the shift in consumer perception toward data breaches, warranting a revisit of this important and relevant issue with more recent data. This study aims to revisit the cost of data breach disclosures by empirically analyzing the impact of recent data breach incidents on the market value of affected firms. Design/methodology/approach The authors collect the data regarding data breach incidents among publicly traded companies in the USA listed in the S&P 500 index from 2013 to 2021. The empirical analysis relies on the event study approach, and the market value of each firm is estimated using the Fama-French three-factor model. Findings This study finds that the negative market reaction to data breach announcements in recent years has been significantly weaker than those reported in prior works from the past decade. This result confirms the shift in consumer perception toward data breaches in the market. Originality/value While prior research has quantified the cost of data breach disclosures, the authors posit that a renewed examination is essential within the contemporary digital environment. Consumer behavior and market sentiment have undergone significant transformations in recent years, necessitating a revisit of this important issue with updated data. This study not only documents this evolving phenomenon but also yields crucial policy recommendations. Notably, it challenges the conventional wisdom to rely on market forces as an adequate deterrent against data breaches. Consequently, updated regulations may be necessary to effectively navigate the complexities of the evolving digital landscape.