When Do Companies Announce Data Breach?

When Do Companies Announce Data Breach?

Dec 13, 2022 / Kron

Every year, millions of people's personal data, including as passwords, credit card information, or health information, slip into the hands of unauthorized persons as a result of hacking or data processing errors by companies.

This can have devastating consequences for victims, from financial losses to identity theft. These leaks are frequently made public because companies in many countries are obligated by law to report such instances to authorities and notify their customers in order to protect their customers.

In such circumstances, a quick response is actually essential to prevent the spread of stolen data and avoid its misuse. However, the law's deadlines allow companies some flexibility in the timing of their reports. In the European Union, any data leakage that may harm the people involved must be reported within 72 hours. Notice periods in the United States can range from 30 to 90 days, depending on the state.

Over 8,000 leaks in 10 years,

Jens Foerderer, professor of innovation and digitalization at the Technical University of Munich (TUM) and Sebastian Schuetz, professor of information systems and business analysis at Florida International University, came to the surprising conclusion that share prices and company values were not affected by data breach announcements.

Jens Foerderer stated: "This surprised us since leaks harm the company's reputation and erode customer trust. "This, in reality, should cause a sharp drop in stock market value," he says, while "other news, according to our hypothesis, is distracting investors."

Researchers examined publicly listed US companies from 2008 to 2018 and acquired data on when more than 8,000 data breaches were revealed, using information from the nonprofit Identity Theft Resource Center (ITRC). They then compared this information to the dates when most companies presented their quarterly profit reports, when a large amount of market data was expected to be released.

Interesting results on breaches caused by internal factors

This study supports the researchers' assumption that the frequency of data breach press releases is considerably higher on days when daily and industry news dominate the headlines, and that serious data breaches caused by internal neglect or errors, as well as leaks of health or personal identity information, are not revealed to the press. It has long been recognized that there is a significant relationship between the time of hearing and other important news, i.e. the intensity of the agenda.

Federer stated: "Both news centers and analysts have to prioritize the information they acquire on heavy news days. According to our findings, companies strategically decide when to disclose data leaks and pick times when disclosure would receive less attention on purpose."

Share prices are less affected on heavy news days

The researchers wanted to know whether this technique was successful for companies in the second part of the study, so they analyzed the performance of company stocks after the data loss was announced. They came to the conclusion that, while stock values fell on average, the loss was substantially less on busy news days.

"Companies that cover up data processing failures with other news, avoiding public pressure for themselves and other companies to take tougher action against data breaches," explains Sebastian Schuetz.

Minimize time flexibility

The researchers recommend that companies limit the amount of time they have to announce data leaks as much as possible. So much so that, according to Jens Foerderer, "the longer the time given for the disclosure, the more strategically the companies plan their statements and they divert from the true goal of the disclosure."

 

Source: Help Net Security

Other Blogs