Abstract:Data breach disclosure (DBD) is presumed to improve firms' cybersecurity practices by inducing fear of subsequent revenue loss. This revenue loss, the theory goes, will occur if customers punish an offending firm by refusing to buy from them and is assumed to be the primary mechanism through which DBD laws will change firm behavior ex ante. However, our analysis of a large-scale data breach at a US retailer reveals no evidence of a decline in revenue. Using a difference-in-difference design on revenue data from 302 stores over a 20-week period around the breach disclosure, we found no evidence of a decline either across all stores or when sub-sampling by prior revenue size (to account for any heterogeneity in prior revenue size). Therefore, we posit that the presumed primary mechanism of DBD laws, and thus these laws may be ineffective and merely a lot of "sound and fury, signifying nothing."

What problem does this paper attempt to address?

This paper attempts to explore whether Data Breach Disclosure Laws (DBDL) are effective. Specifically, the paper examines the effectiveness of these laws by analyzing the sales performance of Home Depot stores following a large-scale data breach in 2014, which affected the largest home improvement retailer in the United States. ### Background and Research Question The theoretical basis of Data Breach Disclosure Laws is that by requiring companies to disclose information to the public after a data breach, companies will be incentivized to strengthen their cybersecurity measures to avoid revenue loss due to customer attrition. However, this theoretical assumption lacks empirical support. The core question of the paper is to verify whether this assumption holds true, i.e., whether data breach disclosure actually leads to a decline in company revenue, thereby prompting companies to improve their cybersecurity practices. ### Research Method To answer this question, the author employed a Difference-in-Differences (DID) design, analyzing the sales data of 302 Home Depot stores before and after the 2014 data breach. The study spans 20 weeks, including 9 weeks before the breach, the week of the breach, and 10 weeks after the breach. The author also considered the impact of the presence of competitor Lowe's stores around Home Depot stores to construct treatment and control groups. ### Main Findings 1. **Overall Results**: The study found no evidence of revenue decline after the data breach disclosure, whether in the overall sales data of all stores or in subsamples stratified by previous sales scale. 2. **Heterogeneity Analysis**: Further analysis showed no evidence of a negative impact on sales due to data breach disclosure, even among stores with different sales scales. 3. **Robustness Checks**: The author conducted robustness checks by changing the competition distance thresholds (e.g., 1 mile, 2 miles, 4 miles) and using continuous competition distance indicators. The results remained consistent, with no significant impact of data breach disclosure on sales. ### Conclusion The paper concludes that the primary mechanism of Data Breach Disclosure Laws—prompting companies to improve cybersecurity behavior due to fear of revenue loss—may be ineffective. Therefore, these laws might be "sound and fury, signifying nothing." ### Implications These findings have important implications for policymakers and companies. If Data Breach Disclosure Laws cannot prompt companies to improve cybersecurity through the expected mechanism (i.e., revenue decline), it may be necessary to reassess the effectiveness and necessity of these laws and explore other more effective regulatory measures.

Sound and Fury, Signifying Nothing? Impact of Data Breach Disclosure Laws

Understanding the Cost associated with Data Security Breaches.

The Role of Corporate Reputation and Crisis Response Strategies in Data Breach Management.

Stock Market Reaction To Data Breaches: The Moderating Role Of Corporate Social Responsibility

Differential Market Reaction to Data Security Breaches: A Screening Perspective

Data breach disclosures and stock price crash risk: Evidence from data breach notification laws

Equity Financing Incentive and Corporate Disclosure: New Causal Evidence from SEO Deregulation

Revisiting the (disappearing) cost of data breach disclosures

After the disclosure: measuring the short-term and long-term impacts of data breach disclosures on the financial performance of organizations

Expanded Auditor’s Reports and Voluntary Disclosure

The hidden cost of silence: How delayed cyberattack disclosure erodes firm profitability

Reaction of Stock Volatility to Data Breach: an Event Study

The Bulletproof Glass Effect: Unintended Consequences of Privacy Notices

To alert or alleviate? A natural experiment on the effect of anti-phishing laws on corporate IT and security investments

Focusing on the Fundamentals? an Investigation of the Relationship Between Corporate Social Irresponsibility and Data Breach Risk

Exploring the Cybersecurity Spillover Effect: How Customer Data Breaches Affect Supplier Cost Management Strategies

Spillover effects of data breach on consumer perceptions: evidence from the E-commerce industry

On the evolution of data breach reporting patterns and frequency in the United States: a cross-state analysis

Anatomy of a High-Profile Data Breach: Dissecting the Aftermath of a Crypto-Wallet Case

Determinant Factors of Cyber Security Disclosure: A Systematic Literature Review

Public Disclosure Of Information Security Breach Incidents: Short-Term Stock Market Reaction On Indian Listed Firms