Financial Loss due to a Data Privacy Breach: An Empirical Analysis

Abstract

ABSTRACT Previous studies have explored the impact of the cybersecurity breach on the market value of the firm, but the impact of the data privacy breach on the firm performance is less explored. The terms cybersecurity breach and data privacy breach are sometimes used interchangeably, but they are two different things. In this study, we have used the event study methodology and standard market model (MM) to observe the effect of the data privacy breach on the firm performance. We have also observed the impact of firm-specific characteristics (such as firm size and firm type) and attack-specific characteristics (such as attack type and damage potency) on the cumulative abnormal return (CAR) due to privacy breaches. We have used data of 131 data privacy breaches related to US firms for the years 2012 (43 breaches), 2013 (37 breaches), and 2014 (51 breaches). We have selected the period 2012-2014 for study as we have observed the major data privacy breaches occurred during this period. The results of this study demonstrate that the data privacy breach announcement negatively affects the market value of the firm. Another interesting finding of this study is that the market values of larger firms are less adversely affected by the data privacy breach event than the smaller firms. We have also calculated the average financial loss, which comes out to be $ 229 million, $ 241 million, and $ 108 million in the year 2012, 2013, and 2014, respectively, due to these data privacy breaches.