Corporate Governance, Social Responsibility, and Data Breaches

• Published date: 01 May 2018
• DOI: http://doi.org/10.1111/fire.12160
• Date: 01 May 2018

The Financial Review 53 (2018) 413–455

Corporate Governance, Social

Responsibility, and Data Breaches

Claire Lending

Western Washington University

Kristina Minnick∗

Bentley University

Patrick J. Schorno

Ally Financial

Abstract

We study whether corporate governance and social responsibility are related to data

breaches. Wefind that socially responsible companies with smaller boards and greater financial

expertise are less likely to be breached. The financial impact of a breach is visible in the long

term. Specifically, data-breach firms have –3.5% one-year buy-and-hold abnormal returns.

Additionally, banks with breaches have significant declines in deposits and nonbanks have

significant declines in sales in the long run. Finally, we find that following a data breach,

companies are more likely to replace their chief executive officerand chief technology officer

as well as improve their governance and social responsibility.

Keywords: data breaches, corporate social responsibility, corporate governance

JEL Classifications: G3, M14, M15

∗Corresponding author: Department of Finance, Bentley University, 175 Forest St. Waltham,MA 02452;

Phone: (781) 891–2941; E-mail: kminnick@bentley.edu.

The views expressed in this paper are those of the authors and do not necessarily reflect those of Ally

Financial.

C2018 The Eastern Finance Association 413

414 C. Lending et al./The Financial Review 53 (2018) 413–455

1. Introduction

In 2014, Sony announced a data breach in which a hacking group calling itself

“Guardians of Peace” brought down the studio’s corporate email, and leaked five

films and a slew of sensitive personnel data (Silverman and Fritz, 2014). These

personnel data included a spreadsheet allegedly containing salaries of some 6,000

employees and top executives as well as social security numbers and credit card

numbers (Silverman and Fritz, 2014). The theft greatly damaged the company’s

reputation, has the potential to reduce profits on films yet to be released, and is

expected to spawn dozens of legal actions that could also prove tremendously costly

to the firm. Although the Sony hack is unique in that it was motivated by Sony’s

movie The Interview, Sony is one of many corporate victims of data breaches. In

fact, there was a 73% increase in the number of data breaches from 2013 to 2014

according to a study by PricewaterhouseCoopers (2013). The majority of these attacks

were by outsiders to the company such as criminals, hackers (particularly activist

hackers, referred to as “hacktivists”) and competitors. Despite the increasing risk

of a company becoming the victim of a data breach, many corporate executives

still believe their companies are unequipped to handle the fallout from a breach

(Ponemon Institute Research Report, 2014). In this paper, we examine data breaches

from a corporate governance and financial perspective. We find that governance and

social responsibility choices affect the likelihood of a corporation being the victim of

a data breach. We also showthat there are both short- and long-term financial effects,

and governance changes following a data breach.

A data breach is a “compromise of security that leads to the accidental or un-

lawful destruction, loss, alteration, unauthorized disclosure of, or access to protected

data transmitted, stored or otherwise processed.”1Data breaches encompass a variety

of actions ranging from an individual hacking into a corporate data site and posting

images of celebrities to stealing data for credit and debit cards to having improperly

disposed of protected documents found by an outsider in a public trash container. His-

torically, the magnitude of individuals affected by a specific data breach has ranged

from one to over 100 million. With the increased risk that companies will experience

a data breach, it is important to understand why a company may become a victim as

well as to determine what impact the breach may have on the company in terms of

both governance and corporate social responsibility.Investing in information security

to prevent data breaches requires a management team that has both a long-term vision

and is willing to protect stakeholders, even with no tangible reward for their time

and investment. Corporations with better governance may be more willing to invest

in information security, thereby reducing the likelihood of being a victim of a data

breach.

1The definition comes from ISO/IEC 27040, which is a family of international standards published by the

International Organization for Standardization and the International Electrotechnical Commission.

C. Lending et al./The Financial Review 53 (2018) 413–455 415

Additionally, the decision for a hacker to pursue a data breach may occur when

corporate governance mechanisms or other areas of social responsibility have failed.

Firm-level characteristics, such as environmental issues, human rights issues, and

excessive executive compensation, may create an incentive for an activist hacker to

focus on a certain corporation. Activists may also target a company if they object to

the product, such as in the case of Sony’s movie. Similarly, hacktivists can also target

companies as a way to highlight some aspect of the firm of which they do not approve.

For instance, The New York Times, Twitter and the Huffington Post lost control of

some of their websites because hackers supporting the Syrian government breached

the Internet company that manages many major website addresses. The hacktivists

initiated the breach to highlight the issues in Syria and focused on media companies

that printed material opposing the Syrian government (Manning and Grubb, 2013).

A study by Verizon found that over 58% of the data stolen in data breaches in 2011

was stolen by hacktivists as a way to achieve some political ends or to draw negative

attention to a corporation (Goldman, 2012). This finding suggests that companies

showing weaker social responsibility may be more likely targeted by hacktivists. If

companies have both low social responsibility scores and weak governance,then they

may become a target for hackers looking to steal information that they can monetize.

In this paper, we are the first to study whether governanceand social responsibil-

ity affect the probability of a data breach and whether these factors change followinga

breach. We examine potential causes and costs of data breaches by examininga sam-

ple of breached firms over the 2004–2012 period.2Weexamine whether governance,

social, and other firm characteristics are associated with a corporation becoming a

target of a data breach. Wealso measure whether breaches have financial implications

for a firm by calculating short-run and long-run changes in both stock returns and

operating performance. We confirm the results of other studies on short-term stock

losses at the announcement of a data breach but are the first to examine and find finan-

cial operating performance losses following a breach. We also examine governance

changes, including turnover of chief executive officers (CEOs) and chief technology

officers (CTOs). Further, we examine whether firms that improve their governance

following an initial breach reduce the likelihood that they will be breached again.

Many large and publicly traded corporations are subject to data breaches. Merg-

ing data from the Privacy Rights Clearinghouse with full financial data, we examine

a sample of 271 U.S. data breaches from the 2004 to 2012 period. Our results are as

follows: better governed companies are less likely to be targeted by a data breach.

Specifically, firms with smaller boards and more financial expertise are less likely

to be targeted. Social responsibility also seems to play a role in determining which

companies will be attacked. Companies with higher rankings in the environmen-

tal or product safety categories of the social responsibility rankings have a lower

2The sample is cut off in 2012 to allow ample time to pass for estimating changes subsequent to the data

breach event.