Enterprises try to limit attention for data losses
Companies report data leaks on heavy news days
Every year the personal data of millions of people such as passwords, credit card details or health details fall into the hands of unauthorized persons through hacking or data processing errors by companies. The consequences for those affected can be devastating, from financial losses to identity theft. To protect their customers, companies in many countries are required by law to report such incidents to the regulatory authorities and inform their customers. As a result, such leaks usually become public knowledge.
In such situations, a rapid response is actually needed to limit the spread and avoid abuse of the stolen data. However, the deadlines specified by laws give companies leeway in the timing of disclosures. In the European Union any data leak that may result in risks for the concerned individuals must be reported within 72 hours. In the USA the reporting deadlines vary by state from 30 to 90 days.
When Jens Foerderer, a professor of innovation and digitalization at the Technical University of Munich (TUM), and Sebastian Schuetz, a professor of information systems and business analytics at Florida International University, studied incidents of this kind, they were astonished to see that share prices were relatively unresponsive to announcements of data breaches. “That surprised us, because leaks are damaging to a company’s image and lead to a loss of trust among customers, which should actually lead to a sharp decrease in the stock market valuation,” says Jens Förderer. “Our hypothesis was that the investors’ attention was distracted by other news.”
The researchers therefore identified the time of disclosure of more than 8000 data leaks of publicly traded US companies between 2008 and 2018, using information obtained from the non-profit organization Identity Theft Resource Center (ITRC). They then checked the timing against the dates on which many companies presented their quarterly figures – dates on which it was obvious in advance that large quantities of market-related information would be released. For that purpose, they analyzed the Wall Street Journal, the most important business newspaper in the USA.
The study confirms the researchers’ conjecture: there was a significantly greater incidence of data breach disclosures on days when other news dominated the headlines. There was a particularly strong correlation between the general news situation and the disclosure date in case of serious data breaches caused by internal negligence or errors as well as in case of leaks of health information or personal identity data.
“On heavy news days, both newsrooms and analysts have to prioritize the information they pick up. Our results suggest that companies strategically schedule the disclosure of data leaks and deliberately target times when the announcement will receive less attention,” says Foerderer.
In a second step, the researchers wanted to know whether this tactic was successful for the companies. To do this, they looked at the performance of companies’ shares following the disclosure of data losses. Although share prices were lower on average, the decrease was in fact less on heavy news days.
“Companies that bury their data handling mistakes under other news thus avoid public pressure for them and other companies to take stronger measures against data breaches,” says Sebastian Schuetz.
The researchers recommend that the leeway for the timing of data loss announcements should be made as restrictive as possible. “The longer the disclosure deadline, the more companies are able to strategically plan the announcements and evade the actual purpose of disclosure,” says Jens Foerderer.
Jens Foerderer, Sebastian Schuetz: Data Breach Announcements and Stock Market Reactions: A Matter of Timing? Management Science 2022. DOI: 10.1287/mnsc.2021.4264
Prof. Jens Foerderer conducts research at the Center for Digital Transformation at the TUM Campus Heilbronn.