Privacy Breaches and the Effect of Customer Notification

Laws requiring firms to disclose privacy breaches to their customers have been adopted extensively worldwide. However, the manner in which these laws affect the security protection behavior of disclosing firms is poorly understood. To shed light on this issue, we leverage institutional theory and examine how the data breach notification laws (DBNLs) across the states of the U.S., under which firms must notify customers of personal information breaches, influence firm-level incidence of security breakage and how such influences manifest heterogeneously across firms. Exploiting the staggered enactments of DBNLs in a difference-in-differences analysis, we find that firms experience a significant reduction in data breach incidents after DBNLs. This effect is more pronounced when firms rely more on sensitive customer data, operate in stricter privacy protection environments, and hold more intangible and digital assets. We document evidence that, compared to non-subject firms, DBNL-subject firms are more likely to appoint IT-specialized executives and remediate IT-related internal control weaknesses, which suggests potential channels that may facilitate DBNLs’ curbing of data breaches. We also find that the reduction in breach incidence after DBNL-mandated disclosure relates to both endogenous breaches and exogenous cyberattacks.