Do Nonprofessional Investors Care About How and When Data Breaches are Disclosed?

What is it about?

We examine the first time a data breach is publicly reported. As significant amounts of consumer information can be stolen by hackers in a data breach, timely announcement of such event is critical. However, companies have the ability to delay public disclosure, allowing more time to pass between the actual data breach and initial news, and increasing the chance someone else, such as a blog or news site, is the first to publicly disclose. Experimentally, we find that investors view a company provided disclosure as having a more negative impact than if someone else discloses the breach. Focusing on company provided news, we find that delayed reporting is viewed as worse than timely company disclosure, suggesting that investors punish firms who are not prompt in disclosing a data breach.

Featured Image