Skip to main content Accessibility help
Hostname: page-component-8448b6f56d-m8qmq Total loading time: 0 Render date: 2024-04-20T17:07:59.638Z Has data issue: false hasContentIssue false

64 - Data Security, Data Breaches, and Compliance

from Part IX - Analysis of Particular Fields

Published online by Cambridge University Press:  07 May 2021

Benjamin van Rooij
School of Law, University of Amsterdam
D. Daniel Sokol
University of Florida
Get access


Abstract: This chapter explores the attributes of compliance in the context of data breaches. First, it identifies the sort of corporate governance problem that data breaches create. Then, it approaches the empirical work related to data breaches and to the organization of compliance-based responses in terms of risk assessment, training, and compliance, both preemptively and after a breach. Next, the chapter discusses the extant theoretical and empirical evidence about the short- and long-term impacts of IT security events on breached firms as well as corporate governance issues relating to data breaches. It also examines studies that evaluate the impact of different types of event on various types of firm and stakeholder. The chapter also explores how data breaches impact broader issues of corporate governance and compliance. In the end, it identifies potential research questions and avenues for future researchers on how firms or governments might have to think about their IT security investments and the necessary measures that have to be in place to respond effectively if such events occur.

Publisher: Cambridge University Press
Print publication year: 2021

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)


Ablon, L., Heaton, P., Lavery, D., and Romanosky, S. 2016. Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information. Santa Monica, CA: RAND Corporation.CrossRefGoogle Scholar
Acemoglu, D., Malekian, A., and Ozdaglar, A. 2016. “Network Security and Contagion.” Journal of Economic Theory 166: 536–85.Google Scholar
Acquisti, A., Friedman, A., and Telang, R. 2006. “Is There a Cost to Privacy Breaches? An Event Study.” Proceedings of the 3rd International Conference on Intelligent Systems (ICIS).Google Scholar
Akerlof, G. 1970. “The Market for Lemons: Quality Uncertainty and the Market Mechanism.” Quarterly Journal of Economics 84: 488500.Google Scholar
Anderson, R. 2001. “Why Information Security Is Hard – An Economic Perspective.” Proceedings of the 17th Annual Computer Security.Google Scholar
Anderson, R. J., and Moore, T. 2006. “The Economics of Information Security.” Science 314: 610–13.CrossRefGoogle ScholarPubMed
Arcuri, M. C., Brogi, M., and Gandolfi, G. 2014. “The Effect of Information Security Breaches on Stock Returns: Is the Cyber Crime a Threat to Firms?” European Financial Management Association Meeting, Rome.Google Scholar
Beautement, A., Becker, I., Parkin, S., Krol, K., and Sasse, M. A. (2016). “Productive Security: A Scalable Methodology for Analysing Employee Security Behaviours.” Proceedings of the Symposium on Usable Privacy and Security (SOUPS) (253–70).Google Scholar
Benaroch, M. 2017. “Real Options Models for Proactive Uncertainty: Reducing Mitigations and Applications in Cybersecurity Investment Decisionmaking.” Information Systems Research, forthcoming. 10.1287/isre.2017.0714.Google Scholar
Buckman, J., Hashim, M. J., Woutersen, T., and Bockstedt, J. (2019). “Fool Me Twice? Data Breach Reductions Through Stricter Sanctions.” Working paper, Scholar
Campbell, K., Gordon, L. A., Loeb, M. P., and Zhou, L. 2003. “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market.” Journal of Computer Security 11(3): 431–48.Google Scholar
Cannon, D. M., and Kessler, L. 2007. “Danger–Corporate Data Breach!Journal of Corporate Accounting & Finance 18(5): 41–9.CrossRefGoogle Scholar
Calo, R. 2015. “Robotics and the Lessons of Cyberlaw.” California Law Review 103(3): 513–63.Google Scholar
Cao, Y., Xiao, C., Cyr, B., Zhou, Y., Park, W., Rampazzi, S., Chen, Q. A., Fu, K., and Mao, Z. M. 2019. “Adversarial Sensor Attack on LiDAR-based Perception in Autonomous Driving.” Proceedings of the 26th ACM Conference on Computer and Communications Security (ACM CCS), November.CrossRefGoogle Scholar
Cavusoglu, H., Mishra, B., and Raghunathan, S. 2004. “The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers.” International Journal of Electronic Commerce 9(1): 70104.Google Scholar
Chai, S., Kim, M., and Rao, H. R. 2011. “Firms’ Information Security Investment Decisions: Stock Market Evidence of Investors’ Behavior.” Decision Support Systems 50(4): 651–61.Google Scholar
Chatterjee, C., and Sokol, D. D. 2019. “Don’t Acquire a Company Until You Evaluate Its Data Security.” Harvard Business Review. Scholar
Chen, J. V., Li, H. C., Yen, D. C., Bata, K. V. 2012. “Did IT Consulting Firms Gain When Their Clients Were Breached?Computers in Human Behavior 28(2): 456–64.Google Scholar
Chronopoulos, M., Panaousis, E., and Grossklags, J. 2018. “An Options Approach to Cybersecurity Investment.” IEEE Access 6: 12175–86.Google Scholar
Collins, J. D., Sainato, V. A., and Khey, D. N. 2011. “Organizational Data Breaches 2005–2010: Applying SCP to the Healthcare and Education Sectors.” International Journal of Cyber Criminology 5(1): 794810.Google Scholar
Cummins, J. D., Lewis, C. M., and Wei, R.. 2006. “The Market Value Impact of Operational Loss Events for US Banks and Insurers.” Journal of Banking & Finance 30(10): 2605–34.Google Scholar
Garg, A., Curtis, J., and Halper, H. 2003. “Quantifying the Financial Impact of IT Security Breaches.” Information Management and Computer Security 11(2): 7483.Google Scholar
Gartner. 2019. “Gartner Says IT Security Spending to Hit $124B in 2019.” Scholar
Goel, S., and Shawky, H. A. 2009. “Estimating the Market Impact of Security Breach Announcements on Firm Values.” Information & Management 46(7): 404–10.CrossRefGoogle Scholar
Gordon, L. A., Loeb, M. P., and Zhou, L. 2011. “The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?Journal of Computer Security 19(1): 3356.Google Scholar
Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Zhou, L. 2018. “Empirical Evidence on the Determinants of Cybersecurity Investments in Private Sector Firms.” Journal of Information Security 9(2): 133–53.CrossRefGoogle Scholar
Hilary, G., Segal, B., and Zhang, May H. 2016. “Cyber-Risk Disclosure: Who Cares?” Georgetown McDonough School of Business Research Paper No. 2852519.Google Scholar
Hinz, O., Nofer, M., Schiereck, D., and Trillig, J. 2015. “The Influence of Data Theft on the Share Prices and Systematic Risk of Consumer Electronics Companies.” Information & Management 52(3): 337–47.Google Scholar
Hovav, A., and D’Arcy, J. 2003. “The Impact of Denial-of-Service Attack Announcements on the Market Value of Firms.” Risk Management and Insurance Review 6(2): 97121.Google Scholar
Jacobs, J., Romanosky, S., Edwards, B., Roytman, M., and Adjerid, I. 2019. “Exploit Prediction Scoring System (EPSS).” Scholar
Jensen, M. C., and Meckling, W. H. (1976). “Theory of the Firm: Managerial Behaviour, Agency Costs and Ownership Structure.” Journal of Financial Economics 3(4): 305–60.CrossRefGoogle Scholar
Jin, G. Z. 2019. “Artificial Intelligence and Consumer Privacy.” in The Economics of Artificial Intelligence: An Agenda, edited by Agrawal, Ajay, Goldfarb, Avi, and Gans, Joshua. Chicago: University of Chicago Press.Google Scholar
Kannan, K., Rees, J., and Sridhar, S. 2007. “Market Reactions to Information Security Breach Announcements: An Empirical Analysis.” International Journal of Electronic Commerce 12(1): 6991.CrossRefGoogle Scholar
Ko, M., and Dorantes, C. 2006. “The Impact of Information Security Breaches on Financial Performance of the Breached Firms: An Empirical Investigation.” Journal of Information Technology Management 17(2): 1322.Google Scholar
Ko, M., Osei-Bryson, K. M., and Dorantes, C. 2009. “Investigating the Impact of Publicly Announced Information Security Breaches on Three Performance Indicators of the Breached Firms.” Information Resources Management Journal (IRMJ) 22(2): 121.Google Scholar
Kovenock, D., and Roberson, B. 2018. “The Optimal Defense of Networks of Targets.” Economic Inquiry 56(4): 21952211.Google Scholar
Libicki, M. C., Ablon, L., and Webb, T. 2015. “The Defender’s Dilemma: Charting a Course Toward Cybersecurity.” Technical Report Research Report 1024, RAND Corporation.Google Scholar
Mangelsdorf, M. E. 2017. What Executives Get Wrong About Cybersecurity. MIT Sloan Management Review 58(2): 22.Google Scholar
Mitra, S., and Ransbotham, S. 2015. “Information Disclosure and the Diffusion of Information Security Attacks.” Information Systems Research 26(3): 565–84.CrossRefGoogle Scholar
Modi, S. B., Wiles, M. A., and Mishra, S. 2015. “Shareholder Value Implications of Service Failures in Triads: The Case of Customer Information Security Breaches.” Journal of Operations Management 35: 2139.Google Scholar
Moore, T., Moore, D., and Chang, F. 2016. “Identifying How Firms Manage Cybersecurity Investment.” In 15th Workshop on the Economics of Information Security (WEIS).Google Scholar
Mulligan, D. K., and Bamberger, K. A. 2016. “Public Values, Private Infrastructure and the Internet of Things: The Case of Automobiles.” Journal of Law & Economic Regulation 9(1): 744.Google Scholar
NACD (2017). Director’s Handbook on Cyber-Risk Oversight. Scholar
Pirounias, S., Mermigas, D., and Patsakis, C. 2014. “The Relation Between Information Security Events and Firm Market Value, Empirical Evidence on Recent Disclosures: An Extension of the GLZ Study.” Journal of Information Security and Applications 19(4): 257–71.Google Scholar
Romanosky, Sasha. 2016. “Examining the Costs and Causes of Cyber Incidents.” Journal of Cybersecurity 2(2): 121–35.Google Scholar
Romanosky, S., Telang, R., and Acquisti, A. 2011. “Do Data Breach Disclosure Laws Reduce Identity Theft?Journal of Policy Analysis and Management 30(2): 256–86.Google Scholar
Romanosky, S., Hoffman, D., and Acquisti, A. 2014. “Empirical Analysis of Data Breach Litigation.” Journal of Empirical Legal Studies 11(1): 74104.Google Scholar
Rothrock, R. A., Kaplan, J., and Van der Oord, F., 2018. “The Board’s Role in Managing Cybersecurity Risks.” MIT Sloan Management Review 59(2) (Winter): 1215.Google Scholar
Slotwiner, D. J., Deering, F., Fu, K., Russo, A. M., Walsh, M. N., and Van Hare, G. F. 2018. “Cybersecurity Vulnerabilities of Cardiac Implantable Electronic Devices.” Heart Rhythm 15(7) (May): e61e67.Google Scholar
Solomon, Michael G., and Chapple, M. 2005. Information Security Illuminated. Burlington, MA: Jones & Bartlett Learning.Google Scholar
Solove, Daniel J., and Citron, Danielle K. 2018. “Risk and Anxiety: A Theory of Data Breach Harms.” Texas Law Review 96: 737–86.Google Scholar
Sombatruang, N., Onwuzurike, L., Sasse, M. A., and Baddeley, M. 2019. “Factors Influencing Users to Use Unsecured Wi-Fi Networks: Evidence in the Wild.” WiSec 2019 – Proceedings of the 2019 Conference on Security and Privacy in Wireless and Mobile Networks, 203–14. Scholar
Spanos, G., and Angelis, L. 2016. “The Impact of Information Security Events to the Stock Market: A Systematic Literature Review.” Computers & Security 58: 216–29.Google Scholar
Telang, R., and Wattal, S. 2007. “An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price.” IEEE Transactions on Software Engineering 33(8): 544–57.Google Scholar
Thales. 2017. “2017 Thales Data Threat Report: Trends in Encryption and Data Security (Financial Services Edition).” Scholar
Yayla, A. A., and Hu, Q. 2011. “The Impact of Information Security Events on the Stock Value of Firms: The Effect of Contingency Factors.” Journal of Information Technology 26(1): 6077.CrossRefGoogle Scholar

Save book to Kindle

To save this book to your Kindle, first ensure is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the or variations. ‘’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats