How companies time data leak disclosures

Every year the personal data of millions of people, such as passwords, credit card details, or health details, fall into the hands of unauthorized persons through hacking or data processing errors by companies.

The consequences for those affected can be devastating, from financial losses to identity theft. To protect their customers, companies in many countries are required by law to report such incidents to the regulatory authorities and inform their customers. As a result, such leaks usually become public knowledge.

In such situations, a rapid response is actually needed to limit the spread and avoid abuse of the stolen data. However, the deadlines specified by laws give companies leeway in the timing of disclosures. In the EU, any data leak that may result in risks for the concerned individuals must be reported within 72 hours. In the USA, the reporting deadlines vary by state from 30 to 90 days.

10 years, 8,000+ leaks

When Jens Foerderer, a professor of innovation and digitalization at the Technical University of Munich (TUM), and Sebastian Schuetz, a professor of information systems and business analytics at Florida International University, studied incidents of this kind, they were astonished to see that share prices were relatively unresponsive to announcements of data breaches.

“That surprised us, because leaks are damaging to a company’s image and lead to a loss of trust among customers, which should actually lead to a sharp decrease in the stock market valuation,” says Jens Foerderer. “Our hypothesis was that the investors’ attention was distracted by other news.”

The researchers identified the time of disclosure of more than 8,000 data leaks of publicly traded US companies between 2008 and 2018, using information obtained from the non-profit organization Identity Theft Resource Center (ITRC). They then checked the timing against the dates on which many companies presented their quarterly figures – dates on which it was obvious in advance that large quantities of market-related information would be released. For that purpose, they analyzed the Wall Street Journal, the most important business newspaper in the USA.

Significant result in case of breaches with internal causes

The study confirms the researchers’ conjecture: there was a significantly greater incidence of data breach disclosures on days when other news dominated the headlines. There was a particularly strong correlation between the general news situation and the disclosure date in case of serious data breaches caused by internal negligence or errors and in case of leaks of health information or personal identity data.

“On heavy news days, both newsrooms and analysts have to prioritize the information they pick up. Our results suggest that companies strategically schedule the disclosure of data leaks and deliberately target times when the announcement will receive less attention,” says Foerderer.

Less impact on share prices on heavy news days

In a second step, the researchers wanted to know whether this tactic was successful for the companies. To do this, they looked at the performance of companies’ shares following the disclosure of data losses. Although share prices were lower on average, the decrease was in fact less on busy news days.

“Companies that bury their data handling mistakes under other news thus avoid public pressure for them and other companies to take stronger measures against data breaches,” says Sebastian Schuetz.

Keep leeway to a minimum

The researchers recommend that the leeway for the timing of data loss announcements should be made as restrictive as possible. “The longer the disclosure deadline, the more companies can plan the announcements strategically and evade the actual purpose of disclosure,” says Jens Foerderer.