When the Data Are Out: Measuring Behavioral Changes Following a Data Breach

Abstract

As the quantity and value of data increase, so do the severity of data breaches and customer privacy invasions. While firms typically publicize their post-breach protective actions, little is known about the social, behavioral, and economic aftereffects of major breaches. Specifically, do individual customers alter their interactions with the firm, or do they continue with “business as usual”? We address this general issue via data stemming from a matchmaking website, one for those seeking an extramarital affair, that was breached. The data include de-identified profiles of paying male users from the United States, and their activities on the website since joining, and up to 3 weeks after, the disclosure of the data breach. A challenge in making causal inference(s) in the setting of a massive and highly publicized data breach is that all users were informed of the breach at the same time. In such cases of “information shock”, there is no obvious control group. To resolve this problem, we propose Temporal Causal Inference: for each group of users who joined in a specific time period, we create an appropriate control group from the set of all users who had joined in prior ones. This procedure helps control for, among other elements, potential trends in both individual and temporal site usage that broadly fall under the rubric of “normal” usage trajectories. Following construction of suitable control groups, we apply and extend several causal inference approaches. In particular, we adapt Athey, Tibshirani and Wager’s (2019) Causal Forests (among other forest-based methods) into Temporal Causal Forests, to better align ‘temporal’ inference settings. The combination of Temporal Causal Inference and Temporal Causal Forests methods allows us to extract insights regarding the homogenous (average) treatment effect, along with nontrivial heterogeneity in responses to the data breach. Our analyses reveal that there is a decrease in the probability of being active in searching or messaging on the website, and a notable increase in the probability of deleting photos, ostensibly to avoid personal identification. We investigate several potential sources of heterogeneity in response to the breach announcement, and conclude with a discussion of both managerial consequences and policy considerations.