Much Ado about Nothing: The (Lack of) Economic Impact of Data Privacy Breaches

ABSTRACT In this paper, we examine the consequences of data breaches for a breached company. We find the economic consequences are, on average, very small for breached companies. On average, breaches result in less than −0.3 percent cumulative abnormal returns in the short window around the breach disclosure. Except for a few catastrophic breaches, the nominal difference in cumulative abnormal returns between breach companies and the matched companies disappears within days after the breach. We also test whether data breaches affect future accounting measures of performance, audit and other fees, and future Sarbanes-Oxley Section 404 reports of material internal control weaknesses, but find no differences between breach and matched companies. Our results address the question why companies are not spending more to reduce breaches. We conclude by providing a few explanations of why there appears to be an effect at the economy-wide level, but no noticeable effect on individual company performance.