On the effectiveness of privacy breach disclosure legislation in Europe. Empirical evidence from the US stock market

Abstract

Several U.S. states have enacted laws that require organizations to notify the affected individuals if personal data under their control is believed to have been acquired by an unauthorized person. In the EU, where similar legislation is still missing, several researchers have recommended the introduction of a security-breach notification law. The intention of these laws is twofold. On one hand, they should enable affected individuals to take appropriate steps to protect themselves against malicious impacts resulting from the breach. On the other hand, it was intended to create incentives for companies to undertake steps to improve their security measures. In this contribution, we explore these incentives and present an event study in order to examine the effects of privacy incident announcements on the stock prices of affected companies. Our results show that there are significant price reactions on the next day following the announcements. By comparing these price reactions with those observed for other event types, we detect that disclosed privacy incidents are perceived as marginal by the market. The results show that existing disclosure regulation provides little to no incentives to invest in security measures to prevent the occurrence of privacy breaches, since they are widely ignored by the capital markets. From the widely discussed incentive perspective, the privacy breach disclosure legislation does not appear to be effectively addressing this goal.