Sound and Fury, Signifying Nothing? Impact of Data Breach Disclosure Laws

TL;DR

This study investigates whether data breach disclosure laws influence firm revenue, finding no evidence that such laws lead to revenue decline, questioning their assumed effectiveness in improving cybersecurity practices.

Contribution

The paper provides empirical evidence that data breach disclosure laws do not significantly impact firm revenue, challenging the common assumption of their effectiveness in incentivizing cybersecurity.

Findings

No revenue decline observed post-breach disclosure

Analysis based on 302 stores over 20 weeks

Questions the effectiveness of DBD laws in changing firm behavior

Abstract

Data breach disclosure (DBD) is presumed to improve firms' cybersecurity practices by inducing fear of subsequent revenue loss. This revenue loss, the theory goes, will occur if customers punish an offending firm by refusing to buy from them and is assumed to be the primary mechanism through which DBD laws will change firm behavior ex ante. However, our analysis of a large-scale data breach at a US retailer reveals no evidence of a decline in revenue. Using a difference-in-difference design on revenue data from 302 stores over a 20-week period around the breach disclosure, we found no evidence of a decline either across all stores or when sub-sampling by prior revenue size (to account for any heterogeneity in prior revenue size). Therefore, we posit that the presumed primary mechanism of DBD laws, and thus these laws may be ineffective and merely a lot of "sound and fury, signifying nothing."