Publicly announcing data breaches is generally seen as good corporate citizenship as it allows other organizations that may be at risk of a breach to shore up their defenses. Research from Florida International University highlights how lax many organizations are at doing this, however.
Indeed, the research suggests that many organizations will deliberately stage the timing of these announcements around a breaking news story in a bid to bury the announcement and minimize any negative media coverage that may result.
“We estimate that strategic timing reduces the median decline in market capitalization loss resulting from a data breach, from $347 million to $85 million,” the researchers explain.
Harmful strategy
While this approach has evident charms for the companies themselves, the researchers found that it’s a strategy that nonetheless harms consumers. This is because the stock markets fail to adequately process the information and factor it into the stock price of the firms affected.
The researchers found that these attempts to bury the bad news is most commonly used when the data breaches are of greatest interest to consumers. For instance, when the breach is particularly severe or involves sensitive data, such as our financial or health data.
“Based on our findings, we recommend lawmakers mandate shorter disclosure deadlines, from the current 30-day deadline to just three days,” the authors conclude. “Strategic timing is harmful for consumers because it undermines the effectiveness of current U.S. data breach legislation. Because consumers and investors receive less information about the occurrence of a data breach, less change is being promoted in firms to protect consumers against future security issues.”