Firms time announcements of data breaches to bury the bad news
New research in the INFORMS journal Management Science finds that firms that have experienced data breaches intentionally stage the timing of such announcements around other significant breaking news as a means of reducing media coverage and minimizing public attention.
"We estimate that strategic timing reduces the median decline in market capitalization loss resulting from a data breach, from $347 million to $85 million," says Sebastian Schuetz of Florida International University.
The study, conducted by Schuetz and Jens Foerderer of the Technical University of Munich, finds that this strategy harms consumers because the stock markets do not adequately "punish" firms for their misbehavior.
The work appears to show that strategic timing is most common in data breaches that are of greatest interest to consumers, such as those that are more severe and involve healthcare data, financial data and credentials.
"Based on our findings, we recommend lawmakers mandate shorter disclosure deadlines, from the current 30-day deadline to just three days," says Foerderer. "Strategic timing is harmful for consumers because it undermines the effectiveness of current U.S. data breach legislation. Because consumers and investors receive less information about the occurrence of a data breach, less change is being promoted in firms to protect consumers against future security issues."
More information: Jens Foerderer et al, Data Breach Announcements and Stock Market Reactions: A Matter of Timing?, Management Science (2022). DOI: 10.1287/mnsc.2021.4264
Journal information: Management Science