Abstract
We exploit state-level variation in data breach disclosure laws to study whether shareholders benefit from consumer protection regulation. While the intended purpose of these laws is consumer protection, we argue that the laws can help reduce shareholder risk through both a real effects channel (i.e., encouraging firms to prioritize cybersecurity) and a capital markets channel (i.e., serving as a commitment to disclose). Consistent with these arguments, we find an on-average decrease in shareholder risk, proxied by cost of equity, after the staggered passage of these laws. We also find the effect is stronger for firms that did not prioritize cybersecurity before the laws and for firms with ex ante worse information environments. Finally, after passage of these laws, firms are more likely to have an IT security officer and increase IT investments. Our collective evidence suggests that consumer protection regulation, in the form mandated disclosure to other stakeholders, benefits shareholders.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
