Management Information Systems Quarterly
Abstract
Laws requiring firms to disclose privacy breaches to their customers have been adopted extensively worldwide. However, the manner in which these laws affect the security protection behavior of firms disclosing a data breach is poorly understood. To shed light on this issue, we leveraged institutional theory and examined how U.S. state data breach notification laws (DBNLs), under which firms must notify customers of personal information breaches, influenced firm-level incidence of security breaches and how such influence manifested heterogeneously across firms. Exploiting the staggered enactments of DBNLs in a difference-in-differences analysis, we found that firms experienced a significant reduction in data breach incidents after the implementation of DBNLs. This effect was more pronounced among firms that were more reliant on sensitive customer data, operated in stricter privacy protection environments, or held more intangible and digital assets. We document evidence that compared to firms not subject to DBNLs, firms subject to these laws are more likely to appoint IT-specialized executives and remediate IT-related internal control weaknesses, which suggests potential channels that may facilitate DBNLs’ curbing of data breaches. We also found that the reduction in breach incidences following DBNL-mandated disclosure policies relates to both endogenous breaches and exogenous cyberattacks.