An Empirical Investigation of Company Response to Data Breaches

In stock

Publication History

Received: December 9, 2019
Revised: February 12, 2021; July 13, 2021; January 14, 2022
Accepted: March 1, 2022
Published Online as Articles in Advance: November 23, 2022
Published in Issue: Forthcoming

Downloadable File

Companies may face serious adverse consequences as a result of a data breach event. To repair the potential damage to relationships with stakeholders after data breaches, companies adopt a variety of response strategies. However, the effects of these response strategies on the behavior of stakeholders after a data breach are unclear; differences in response times may also affect these outcomes, depending on the notification laws that apply to each company. As part of a multimethod study, we first identified the adopted response strategies in Study 1 based on content analysis of the response letters issued by publicly traded U.S. companies (n = 204) following data breaches; these strategies include any combination of the following: corrective action, apology, and compensation. We also found that breached companies may remain silent and adopt a “no action” strategy. In Studies 2 and 3, we examined the effects of various response strategies and response times on the predominant stakeholders affected by data breaches: customers and investors. In Study 2, we focused on customers and present a moderated-moderated-mediation model based on the expectancy violation theory. To test this model, we designed a factorial survey with 15 different conditions (n = 811). In Study 3, we focused on investors and conducted an event study (n = 166) to examine their reactions to company responses to data breaches. The results indicate the presence of moderating effects of certain response strategies; surprisingly, we did not find compensation to be more effective than apology. The magnitude of the moderating effects of response strategies is contingent upon response time. We also found that the negative effects of data breaches disappear after six months. We interpret the results and provide implications for research and practice.

Additional Details
Author Hamid Reza Nikkhah and Varun Grover
Year 2022
Volume 46
Issue 4
Keywords Data breach, cybersecurity, response strategy, response time, data breach notification laws, multi-method, factorial survey, event study
Page Numbers 2163-2196
Copyright © 2023 MISQ. All rights reserved.