By Cynthia Corzo
Data breaches can have a negative impact on a company's image and on its bottom line. Hoping to diminish the stock market's reaction to these incidents, many publicly traded companies are closely monitoring what else is happening in the news, according to research from FIU Business.
The study, published in the October 2022 issue of Management Science, finds evidence suggesting that corporations are strategically timing announcements of serious data breaches to coincide with busy news days so the data breach news receives less or no media coverage.
"Facebook announced data breaches during confirmation hearings of [Supreme Court] Justice Brett Kavanaugh," said Sebastian Schuetz, assistant professor of information systems and business analytics at FIU Business, who conducted the research. That included a massive hack that exposed the credentials of 50 million users. "You really had to go through the internet to find them; nobody cared about the Facebook breaches then."
The practice appears to be more prevalent for severe breaches such as those that leak medical records or credit card information.
Data breach laws in the U.S. allow firms 45 to 60 days after the event to notify the parties affected, Schuetz explained. The longer the disclosure deadline, the more companies are able to strategically plan their announcements.
The researchers examined the time of disclosure of more than 2,700 data leaks of publicly traded U.S. companies between 2008 and 2018, using information obtained from the Identity Theft Resource Center, which monitors incidents at entities that are located or conduct business in the U.S. and that affect U.S. consumers.
Busy news days were measured based on the number of items unrelated to data breach announcements that appeared in The Wall Street Journal front-page column What's News: Business & Finance.
Now the researchers will turn their attention to the Cyber Incident Reporting Critical Infrastructure Act of 2022, which establishes that covered cyber incidents must be reported within 72 hours. They plan, Schuetz noted, to revisit the research in five years to analyze whether anything has changed in companies' reporting strategies.
Schuetz conducted the study with Jens Foerderer of the Technical University of Munich.