Full Text

1. Introduction

Accelerated progress in communication, networks and information technologies is shaping global business, and it is estimated to continue changing business structures for the foreseeable future. This development has many advantages and disadvantages for all organizations’ stakeholders. Information systems management is increasingly considering information security and privacy due to their potential critical issues for all company activities. The magnitude of the importance of breached data was described in the California Data Breach Report 2012-2015 (Harris, 2016) as follows:

In the past four years, the Attorney General has received reports on 657 data breaches, affecting a total of over 49 million records of Californians. In 2012, there were 131 breaches, involving 2.6 million records of Californians; in 2015, 178 breaches put over 24 million records at risk. This means that nearly three in five Californians were victims of a data breach in 2015 alone (p. 8).

Multinational companies rely heavily on technology and always have some technical vulnerabilities, which means data breaches and losses are inevitable. Data is one of the company’s most important assets, and the threat of losing data control is becoming an issue that affects everyone. No matter whether companies establish guidelines and controls to mitigate the risk of data breaches, hacking and phishing threats still exist. Information security and privacy is a determining factor for companies’ continuity and sustainability. Companies are adopting several protection techniques such as system authentication, data encryption, user access control and firewalls as well as practices that aim to minimize such risks such as employee training and user orientation to the company’s information security policy and protocols. Despite these measures, perpetrators are becoming more organized and sophisticated, and the risk is growing.

There are many recent examples of companies that have suffered from major data breaches – Equifax, Anthem, eBay, JPMorgan Chase, Home Depot, Yahoo and Target, among others. Assessing the economic effects of data breaches is a challenge for both accounting and information security management (Schatz and Bashroush, 2016). Research concerning the implications of data breaches is considered an emerging area (Ghosh and Swaminatha, 2001; Spanos and Angelis, 2015, 2016). Event studies have mostly shown that data breaches have a negative effect on cumulative abnormal returns of publicly traded companies. However, these same studies have shown...