Fraunhofer-Gesellschaft

Publica

Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

On the effectiveness of privacy breach disclosure legislation in Europe

Empirical evidence from the US stock market
 
: Muntermann, J.; Roßnagel, H.

:

Josang, A.:
Identity and privacy in the internet age. 14th Nordic Conference on Secure IT Systems, NordSec 2009 : Oslo, Norway, 14-16 October 2009 ; proceedings
Berlin: Springer, 2009 (Lecture Notes in Computer Science 5838)
ISBN: 978-3-642-04765-7
ISBN: 3-642-04765-3
ISSN: 0302-9743
S.1-14
Nordic Conference on Secure IT Systems (NordSec) <14, 2009, Oslo>
Englisch
Konferenzbeitrag
Fraunhofer IAO ()

Abstract
Several U.S. states have enacted laws that require organizations to notify the affected individuals if personal data under their control is believed to have been acquired by an unauthorized person. In the EU, where similar legislation is still missing, several researchers have recommended the introduction of a security-breach notification law. The intention of these laws is twofold. On one hand, they should enable affected individuals to take appropriate steps to protect themselves against malicious impacts resulting from the breach. On the other hand, it was intended to create incentives for companies to undertake steps to improve their security measures. In this contribution, we explore these incentives and present an event study in order to examine the effects of privacy incident announcements on the stock prices of affected companies. Our results show that there are significant price reactions on the next day following the announcements. By comparing these price reactions with those observed for other event types, we detect that disclosed privacy incidents are perceived as marginal by the market. The results show that existing disclosure regulation provides little to no incentives to invest in security measures to prevent the occurrence of privacy breaches, since they are widely ignored by the capital markets. From the widely discussed incentive perspective, the privacy breach disclosure legislation does not appear to be effectively addressing this goal.

: http://publica.fraunhofer.de/dokumente/N-113591.html