






















Data breach disclosure (DBD) is presumed to improve firms' cybersecurity practices by inducing fear of subsequent revenue loss. This revenue loss, the theory goes, will occur if customers punish an offending firm by refusing to buy from them and is assumed to be the primary mechanism through which DBD laws will change firm behavior ex ante. However, our analysis of a large-scale data breach at a US retailer reveals no evidence of a decline in revenue. Using a difference-in-difference design on revenue data from 302 stores over a 20-week period around the breach disclosure, we found no evidence of a decline either across all stores or when sub-sampling by prior revenue size (to account for any heterogeneity in prior revenue size). Therefore, we posit that the presumed primary mechanism of DBD laws, and thus these laws may be ineffective and merely a lot of "sound and fury, signifying nothing."
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。