On the Effectiveness of Privacy Breach Disclosure Legislation in Europe: Empirical Evidence from the US Stock Market

Authors:
Jan Muntermann;Heiko Roßnagel
Affiliations:
Goethe-University Frankfurt, House of Finance, Frankfurt, Germany 60323;Fraunhofer Institute for Industrial Engineering (IAO), Stuttgart, Germany 70569
Venue:
NordSec '09 Proceedings of the 14th Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age
Year:
2009

Citing 13
Cited 1

The economics of information security investment

ACM Transactions on Information and System Security (TISSEC)
Research Report: A Reexamination of IT Investment and the Market Value of the Firm--An Event Study Methodology

Information Systems Research
The Impact of E-Commerce Announcements on the Market Value of Firms

Information Systems Research
Assessing the Risk in E-commerce

HICSS '02 Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS'02)-Volume 7 - Volume 7
The economic cost of publicly announced information security breaches: empirical evidence from the stock market

Journal of Computer Security - IFIP 2000
A model for evaluating IT security investments

Communications of the ACM - Has the Internet become indispensable?
Estimating Potential IT Security Losses: An Alternative Quantitative Approach

IEEE Security and Privacy
Cost-Effective Security

IEEE Security and Privacy
The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers

International Journal of Electronic Commerce
Privacy matters

Communications of the ACM - Enterprise information integration: and other tools for merging data
Market Reactions to Information Security Breach Announcements: An Empirical Analysis

International Journal of Electronic Commerce
Examining the shareholder wealth effects of announcements of newly created CIO positions

MIS Quarterly
The value relevance of announcements of transformational information technology investments

MIS Quarterly

Did IT consulting firms gain when their clients were breached?

Computers in Human Behavior

Quantified Score

Hi-index	0.00

Visualization

Abstract

Several U.S. states have enacted laws that require organizations to notify the affected individuals if personal data under their control is believed to have been acquired by an unauthorized person. In the EU, where a similar legislation is still missing, several researchers have recommended the introduction of a security-breach notification law. The intention of these laws is twofold. On one hand, they should enable affected individuals to take appropriate steps to protect themselves against malicious impacts resulting from the breach. On the other hand, it was intended to create incentives for companies to undertake steps to improve their security measures. In this contribution, we explore these incentives and present an event study in order to examine the effects of privacy incident announcements on the stock prices of affected companies. Our results show that there are significant price reactions on the next day following the announcements. By comparing these price reactions with those observed for other event types, we detect that disclosed privacy incidents are perceived as marginal by the market. The results show that existing disclosure regulation provides little to no incentives to invest in security measures to prevent the occurrence of privacy breaches, since they are widely ignored by the capital markets. From the widely discussed incentive perspective, the privacy breach disclosure legislation does not appear to be effectively addressing this goal.