Corporate Governance, Social Responsibility, and Data Breaches

Published date01 May 2018
Date01 May 2018
The Financial Review 53 (2018) 413–455
Corporate Governance, Social
Responsibility, and Data Breaches
Claire Lending
Western Washington University
Kristina Minnick
Bentley University
Patrick J. Schorno
Ally Financial
We study whether corporate governance and social responsibility are related to data
breaches. Wefind that socially responsible companies with smaller boards and greater financial
expertise are less likely to be breached. The financial impact of a breach is visible in the long
term. Specifically, data-breach firms have –3.5% one-year buy-and-hold abnormal returns.
Additionally, banks with breaches have significant declines in deposits and nonbanks have
significant declines in sales in the long run. Finally, we find that following a data breach,
companies are more likely to replace their chief executive officerand chief technology officer
as well as improve their governance and social responsibility.
Keywords: data breaches, corporate social responsibility, corporate governance
JEL Classifications: G3, M14, M15
Corresponding author: Department of Finance, Bentley University, 175 Forest St. Waltham,MA 02452;
Phone: (781) 891–2941; E-mail:
The views expressed in this paper are those of the authors and do not necessarily reflect those of Ally
C2018 The Eastern Finance Association 413
414 C. Lending et al./The Financial Review 53 (2018) 413–455
1. Introduction
In 2014, Sony announced a data breach in which a hacking group calling itself
“Guardians of Peace” brought down the studio’s corporate email, and leaked five
films and a slew of sensitive personnel data (Silverman and Fritz, 2014). These
personnel data included a spreadsheet allegedly containing salaries of some 6,000
employees and top executives as well as social security numbers and credit card
numbers (Silverman and Fritz, 2014). The theft greatly damaged the company’s
reputation, has the potential to reduce profits on films yet to be released, and is
expected to spawn dozens of legal actions that could also prove tremendously costly
to the firm. Although the Sony hack is unique in that it was motivated by Sony’s
movie The Interview, Sony is one of many corporate victims of data breaches. In
fact, there was a 73% increase in the number of data breaches from 2013 to 2014
according to a study by PricewaterhouseCoopers (2013). The majority of these attacks
were by outsiders to the company such as criminals, hackers (particularly activist
hackers, referred to as “hacktivists”) and competitors. Despite the increasing risk
of a company becoming the victim of a data breach, many corporate executives
still believe their companies are unequipped to handle the fallout from a breach
(Ponemon Institute Research Report, 2014). In this paper, we examine data breaches
from a corporate governance and financial perspective. We find that governance and
social responsibility choices affect the likelihood of a corporation being the victim of
a data breach. We also showthat there are both short- and long-term financial effects,
and governance changes following a data breach.
A data breach is a “compromise of security that leads to the accidental or un-
lawful destruction, loss, alteration, unauthorized disclosure of, or access to protected
data transmitted, stored or otherwise processed.”1Data breaches encompass a variety
of actions ranging from an individual hacking into a corporate data site and posting
images of celebrities to stealing data for credit and debit cards to having improperly
disposed of protected documents found by an outsider in a public trash container. His-
torically, the magnitude of individuals affected by a specific data breach has ranged
from one to over 100 million. With the increased risk that companies will experience
a data breach, it is important to understand why a company may become a victim as
well as to determine what impact the breach may have on the company in terms of
both governance and corporate social responsibility.Investing in information security
to prevent data breaches requires a management team that has both a long-term vision
and is willing to protect stakeholders, even with no tangible reward for their time
and investment. Corporations with better governance may be more willing to invest
in information security, thereby reducing the likelihood of being a victim of a data
1The definition comes from ISO/IEC 27040, which is a family of international standards published by the
International Organization for Standardization and the International Electrotechnical Commission.
C. Lending et al./The Financial Review 53 (2018) 413–455 415
Additionally, the decision for a hacker to pursue a data breach may occur when
corporate governance mechanisms or other areas of social responsibility have failed.
Firm-level characteristics, such as environmental issues, human rights issues, and
excessive executive compensation, may create an incentive for an activist hacker to
focus on a certain corporation. Activists may also target a company if they object to
the product, such as in the case of Sony’s movie. Similarly, hacktivists can also target
companies as a way to highlight some aspect of the firm of which they do not approve.
For instance, The New York Times, Twitter and the Huffington Post lost control of
some of their websites because hackers supporting the Syrian government breached
the Internet company that manages many major website addresses. The hacktivists
initiated the breach to highlight the issues in Syria and focused on media companies
that printed material opposing the Syrian government (Manning and Grubb, 2013).
A study by Verizon found that over 58% of the data stolen in data breaches in 2011
was stolen by hacktivists as a way to achieve some political ends or to draw negative
attention to a corporation (Goldman, 2012). This finding suggests that companies
showing weaker social responsibility may be more likely targeted by hacktivists. If
companies have both low social responsibility scores and weak governance,then they
may become a target for hackers looking to steal information that they can monetize.
In this paper, we are the first to study whether governanceand social responsibil-
ity affect the probability of a data breach and whether these factors change followinga
breach. We examine potential causes and costs of data breaches by examininga sam-
ple of breached firms over the 2004–2012 period.2Weexamine whether governance,
social, and other firm characteristics are associated with a corporation becoming a
target of a data breach. Wealso measure whether breaches have financial implications
for a firm by calculating short-run and long-run changes in both stock returns and
operating performance. We confirm the results of other studies on short-term stock
losses at the announcement of a data breach but are the first to examine and find finan-
cial operating performance losses following a breach. We also examine governance
changes, including turnover of chief executive officers (CEOs) and chief technology
officers (CTOs). Further, we examine whether firms that improve their governance
following an initial breach reduce the likelihood that they will be breached again.
Many large and publicly traded corporations are subject to data breaches. Merg-
ing data from the Privacy Rights Clearinghouse with full financial data, we examine
a sample of 271 U.S. data breaches from the 2004 to 2012 period. Our results are as
follows: better governed companies are less likely to be targeted by a data breach.
Specifically, firms with smaller boards and more financial expertise are less likely
to be targeted. Social responsibility also seems to play a role in determining which
companies will be attacked. Companies with higher rankings in the environmen-
tal or product safety categories of the social responsibility rankings have a lower
2The sample is cut off in 2012 to allow ample time to pass for estimating changes subsequent to the data
breach event.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT