When Do Companies Disclose Data Breaches?

Every year, millions of people's personal data, including passwords, credit card information, and health information, slip into the hands of unauthorized persons as a result of hacking or companies data processing errors.

This can have devastating consequences for victims, from financial losses to identity theft. These leaks are frequently made public because companies in many countries are obligated by law to report such instances to authorities and notify their customers in order to protect their customers.

In such circumstances, a quick response is actually essential to prevent the spread of stolen data and avoid its misuse. However, legal deadlines allow companies some flexibility in the timing of their disclosure reports. In the European Union, any data leakage that may harm the individuals affected must be reported within 72 hours. Notice periods in the United States can range from 30 to 90 days, depending on the state.

Over 8,000 leaks in 10 years

Jens Foerderer, professor of innovation and digitalization at the Technical University of Munich (TUM) and Sebastian Schuetz, professor of information systems and business analysis at Florida International University, came to the surprising conclusion that share prices and company values were not affected by data breach announcements.

Jens Foerderer stated: "That surprised us, because leaks are damaging to a company’s image and lead to a loss of trust among customers, which should actually lead to a sharp decrease in the stock market valuation. Our hypothesis was that the investors’ attention was distracted by other news."

Researchers examined publicly listed US companies from 2008 to 2018 and acquired data on when more than 8,000 data breaches were revealed, using information from the nonprofit Identity Theft Resource Center (ITRC). They then compared this information to the dates when most companies presented their quarterly profit reports, when a large amount of market data was expected to be released.

Interesting results on breaches caused by internal factors

This study supports the researchers' assumption that the frequency of data breach press releases is considerably higher on days when daily and industry news dominate the headlines, particularly when serious data breaches caused by internal neglect or errors, as well as leaks of health or personal identity information, were involved. It has long been recognized that there is a significant relationship between the timing of data breach disclosure and other important news,that tend to dominate public attention.

Federer stated: " On heavy news days, both newsrooms and analysts have to prioritize the information they pick up. Our results suggest that companies strategically schedule the disclosure of data leaks and deliberately target times when the announcement will receive less attention."

Share prices are less affected on heavy news days

During the second step of the study, the researchers wanted to know whether this technique was successful for the companies, so they analyzed the performance of company stocks after the data loss was announced. They came to the conclusion that, while stock values fell on average, the loss was substantially less on busy news days.

"Companies that bury their data handling mistakes under other news thus avoid public pressure for them and other companies to take stronger measures against data breaches," explains Sebastian Schuetz.

Restrict time limits

The researchers recommend that the amount of time companies have to announce data leaks should be limited as much as possible. So much so that, according to Jens Foerderer, "The longer the disclosure deadline, the more companies can plan the announcements strategically and evade the actual purpose of disclosure."

Source: Help Net Security