An Empirical Investigation of Company Response to Data Breaches

Abstract

Companies may face serious adverse consequences as a result of a data breach event. To repair the potential damage to relationships with stakeholders after data breaches, companies adopt a variety of response strategies. However, the effects of these response strategies on the behavior of stakeholders after a data breach are unclear; differences in response times may also affect these outcomes, depending on the notification laws that apply to each company. As part of a multimethod study, we first identified the adopted response strategies in Study 1 based on content analysis of the response letters issued by publicly traded U.S. companies (n = 204) following data breaches; these strategies include any combination of the following: corrective action, apology, and compensation. We also found that breached companies may remain silent and adopt a “no action” strategy. In Studies 2 and 3, we examined the effects of various response strategies and response times on the predominant stakeholders affected by data breaches: customers and investors. In Study 2, we focused on customers and present a moderated-moderated-mediation model based on the expectancy violation theory. To test this model, we designed a factorial survey with 15 different conditions (n = 811). In Study 3, we focused on investors and conducted an event study (n = 166) to examine their reactions to company responses to data breaches. The results indicate the presence of moderating effects of certain response strategies; surprisingly, we did not find compensation to be more effective than apology. The magnitude of the moderating effects of response strategies is contingent upon response time. We also found that the negative effects of data breaches disappear after six months. We interpret the results and provide implications for research and practice.