Free Access

Data Breach Disclosure Laws and Social Responsibility Initiatives

Department of Accounting, Copenhagen Business School, Solbjerg Plads 3, C.4. 2000, Frederiksberg, Denmark

https://doi.org/10.1142/S1094406024400031Cited by:0 (Source: Crossref)

Abstract

Synopsis

The research problem

This study investigated how firms employ corporate social responsibility (CSR) as a precautionary strategy in response to heightened concerns about cybersecurity following the adoption of data breach disclosure laws in the United States.

Motivation

CSR has garnered substantial attention in contemporary society. Simultaneously, the last few decades have witnessed a rapid surge of the digital economy. However, it remains unclear how CSR is adapting to digitalization. In this study, I focused on cybersecurity, a pivotal challenge in the digital age.

Theoretical reasoning

The enactment of data breach disclosure laws enhances the reporting of cybersecurity incidents and intensifies concerns about cybersecurity, promoting firms to take measures to mitigate the adverse impacts of data breaches. Building on the theory that CSR functions like an insurance policy, I hypothesized that firms increase their engagement in CSR to fortify their reputation after the enactment of data breach disclosure laws, helping cushion the potential impact of future breaches.

Analyses

The main analysis employed a difference-in-differences research design to compare the changes in CSR engagement between firms with high and low levels of cybersecurity risk following the enactment of data breach disclosure laws in the United States. Cross-sectional analyses delved into the underlying mechanisms. Additional analyses first explored the role of CSR in mitigating stock price decline and then illustrated reputational concerns after data breaches.

Findings

The main analysis showed that firms with high cybersecurity risk increase their CSR engagement to a greater extent following the adoption of data breach disclosure laws. CSR initiatives are particularly pronounced for firms likely to incur significant losses from data breaches, aligning with the theoretical framework and offering insight into the underlying mechanisms. I also found that firms with fewer financial constraints exhibit stronger CSR initiatives. Furthermore, these CSR initiatives are distinct and cannot be substituted by investments in information technology. The additional analysis illustrates that firms with superior CSR performance undergo a smaller stock price decline surrounding data breach announcements. This supports the notion that CSR functions much like insurance, shielding against the impacts of data breaches. Subsequently, this study presents direct evidence on firms’ concerns regarding the reputational impact of cybersecurity. Overall, this study underscores cybersecurity concerns as a driving force behind social responsibility initiatives in this digital era.

Target population

This research holds significance for policymakers worldwide who are considering cybersecurity-related regulations and for firms seeking effective risk management strategies in the face of cybersecurity challenges.

Keywords:

JEL: M14, M48, K24, G32, D22

1. Introduction

Corporate social responsibility (CSR) and environmental, social, and governance (ESG) principles have received significant attention from both academia and practitioners in recent years. Research has examined the factors that affect firms’ social responsibility initiatives, including institutional environment (El Ghoul et al., 2017; Kacperczyk, 2009; Liang & Renneboog, 2017), financial circumstances (Hong et al., 2012; Lys et al., 2015; Sun & Gunia, 2018; Xu & Kim, 2022), and risk management (Albuquerque et al., 2019; Dyck et al., 2019; Godfrey et al., 2009; Lins et al., 2017). In the meantime, the last few decades are recognized as the digital age, characterized by the rapid development of the digital economy and a substantial increase in digital assets (Baiyere et al., 2020; Loebbecke & Picot, 2015). However, it is not yet clear how social responsibility initiatives are evolving in the digitalization process.

This study investigated the influence of cybersecurity concerns on social responsibility initiatives in this digital age. With the widespread use of information and communication technologies in business practices, firms accumulate large volumes of digital assets (Hui et al., 2016; Verhoef et al., 2021), which in turn pose a challenge to cybersecurity and data breaches (Verizon, 2020). Such breaches can result in significant negative consequences, including damage to a firm’s reputation, financial losses, and legal liability (Akey et al., 2021; Garg, 2020; Gwebu et al., 2018; Huang & Wang, 2021; Kamiya et al., 2021; Romanosky et al., 2014). IBM, a leading IT industry entity, estimates that the average cost of a data breach in 2023 reached approximately USD 4.45 million.¹ Against this backdrop, previous research demonstrated that CSR activities can help generate moral capital and function as a form of insurance-like protection against negative events (Godfrey, 2005; Godfrey et al., 2009; Jia et al., 2020; Koh et al., 2014; Lins et al., 2017). Therefore, I predict that companies may engage in CSR activities to bolster their reputation and cultivate trust with stakeholders, thereby creating a buffer that can help mitigate the negative effects of future data breaches.²

To test the above prediction, I employed the staggered adoption of data breach disclosure laws across states and territories in the United States as the research setting. Given that data breaches result in negative consequences, firms tend to conceal information about such breaches (Amir et al., 2018). Data breach disclosure laws require firms to notify affected entities and local government in the event of a data breach (Ashraf & Sunder, 2023; Perkins Coie, 2020), which reduces the chance of firms hiding breach news and increases firms’ concern and awareness of cybersecurity challenges (Boasiako & Keefe, 2021).³ Therefore, I expect that firms will have stronger incentives to take precautionary actions to mitigate the negative effects of data breaches following the enactment of data breach disclosure laws. In addition, as firms are exposed to varying degrees of cybersecurity risk (Florakis et al., 2022), I posit that these laws will be especially relevant for firms with high cybersecurity risk.

However, this approach presents a dilemma. The introduction of these laws may drive firms to focus on enhancing cybersecurity and IT investments (Ashraf & Sunder, 2023), which could detract from CSR activities. Yet, I argue that CSR remains crucial for two reasons. First, given that data breaches cannot be entirely prevented (Barton, 2015), firms need to plan for effective response strategies. Second, CSR represents a distinct approach within the risk management paradigm, aiming to mitigate the impact of breaches, unlike IT investments that focus on prevention. Therefore, CSR should continue to be a key element of risk management, even alongside substantial IT investments.⁴

This study employed a difference-in-differences research design that leverages the differences in the timing of adopting data breach disclosure laws across states and the heterogeneity in firms’ exposure to cybersecurity risk. This research design essentially compares the change in CSR engagement between firms with high and low levels of cybersecurity risk in response to the adoption of data breach disclosure laws. A similar approach has been widely used in previous studies, such as those by Muehlenbachs et al. (2015) and Levine et al. (2018).

I first examined the impact of data breach disclosure laws and found that firms with high cybersecurity risk increase their CSR engagement to a greater extent than those with low risk following the adoption of such laws. These findings suggest that the improved disclosure requirements encourage firms to increase their social responsibility initiatives to alleviate the negative effects of data breaches. The cross-sectional findings provide further insight into the underlying mechanisms; CSR initiatives are more pronounced in firms that are more likely to suffer severe losses from data breaches. In addition, CSR initiatives are predominantly prominent in firms facing fewer financial constraints. I also analyzed the IT investments post-law adoption and concluded that they do not supplant CSR initiatives. The results remain robust across alternative model specifications, sample periods, and CSR measures. Moreover, an event study indicates that firms with superior CSR practices suffer less stock price impact when data breaches are publicized, underscoring CSR’s protective role. Evidence also points to firms’ concerns over the reputational damage from data breaches, highlighting the intrinsic link between cybersecurity and CSR.

This study’s findings contribute to CSR studies by highlighting the importance of cybersecurity concerns in driving firms’ engagement in CSR. Previous studies examined the factors that impact a firm’s involvement in CSR (e.g., Dyck et al., 2019; Hong et al., 2012; Kacperczyk, 2009; Sun & Gunia, 2018). However, the extent to which the digital economy and digitalization affect CSR has not been extensively explored. I address this gap by focusing on cybersecurity, which is a major challenge in the digital age (Florakis et al., 2022; Kamiya et al., 2021; Verizon, 2020). Furthermore, the magnitude of its economic impact surpasses that of most determinant factors documented in prior studies. By doing so, this study broadens the understanding on the determinants of CSR by offering a novel perspective of cybersecurity.

This study is closely related to the expanding literature on the insurance-like protection function of CSR (e.g., Bartov et al., 2021; Godfrey, 2005; Koh et al., 2014; Lins et al., 2017) and extends this literature in two ways. First, it specifically focuses on the insurance-like protection function of CSR within the domain of cybersecurity. With firms navigating digitalization strategies, cybersecurity and data breaches are becoming an increasingly pressing issue. The findings offer valuable insights for firms formulating risk management strategies in this area. This paper represents one of the pioneering efforts to examine the insurance-like role of CSR through the lens of cybersecurity. Second, while existing studies predominantly assess the insurance-like function of CSR by evaluating its effectiveness in mitigating losses from negative events, this study took a novel approach in exploring how firms proactively enhance their CSR initiatives in response to potential cybersecurity threats. These proactive initiatives are mirrored in the work of Jia et al. (2020), who found that firms invest in CSR as a safeguard against the prospect of increased short selling in the stock market.

Two concurrent studies addressed the connection between cybersecurity and CSR from different perspectives. First, Akey et al. (2021) demonstrated that firms increase their charitable donations and social performance after data breaches to restore their reputations. This research focused on firms’ postevent CSR investments. In contrast, I investigated the proactive CSR strategies that firms employ in anticipation of potential data breaches. Second, Bamiatzi et al. (2023) showed that CSR mitigates the adverse effects of data breaches on firms’ operating profitability. While Bamiatzi et al. (2023) recognized the insurance function of CSR, their analysis adhered to the classical methodology prevalent in the literature and focused on the consequences following cybersecurity incidents. My study, however, took an innovative route by examining the precautionary CSR initiatives that firms take in the context of data breach disclosure legislation.

This study also enriches the discussion on data breach disclosure laws. First, previous research examined the effects of these laws on firms’ financing activities (Ashraf & Sunder, 2023; Boasiako & Keefe, 2021), yielding mixed results. This study focused on the real effect of data breach disclosure laws as reflected in firms’ social responsibility initiatives. Second, it offers valuable insights for countries considering the implementation of cybersecurity laws. The U.S. market is distinguished by its sophisticated IT infrastructure and well-established legal system. Policymakers from other countries could gain insights from the advantages and drawbacks linked to U.S. cybersecurity legislations. Moreover, results from this study may encourage subsequent studies to assess the influence of cybersecurity laws in countries with varying institutional frameworks.

The remainder of this paper is organized as follows. Section 2 explains the development of the hypothesis. Section 3 outlines the research design. In Section 4, I present the main results and cross-sectional analyses. Section 5 is dedicated to robustness tests. The additional analyses are discussed in Section 6, and Section 7 concludes.

2. Hypothesis Development

2.1. Data breaches and their consequences

Over the past decades, various information and communication technologies, such as the internet, email, software, applications, databases, and smart devices, have been integrated into business operations (Dewett & Jones, 2001; Nolan & McFarlan, 2005; Tanriverdi & Du, 2020). This integration provides firms with competitive advantages and leads to the accumulation of digital assets, including client lists, employee information, confidential contracts, and trade secrets (Hui et al., 2016; Verhoef et al., 2021). However, it could also result in data breaches, which is one of the most pressing challenges faced by businesses globally (Verizon, 2020).

Previous research has shown that data breaches result in significant negative consequences on corporate operations. For instance, Gwebu et al. (2018), Akey et al. (2021), and Kamiya et al. (2021) showed that data breaches can result in reputational losses and reduced sales growth. Cavusoglu et al. (2004) found that stock prices significantly decrease following data breaches, leading to negative stock returns. In addition, data breaches can lead to litigation issues (Romanosky, 2016; Romanosky et al., 2014). Studies by Garg (2020), Iyer et al. (2020), and Huang & Wang (2021) demonstrated the adverse impact of data breaches on financing activities. Specifically, these impacts are reflected in high cash holdings, low corporate bond returns, and unfavorable loan contracting. Moreover, the adverse impacts of data breaches are further evidenced by rising audit fees (Li et al., 2020; Rosati et al., 2019).

2.2. Insufficient disclosure and data breach disclosure laws

Given the negative consequences of data breaches, firms often choose to conceal information about such incidents. According to Amir et al. (2018), many data breaches are initially kept secret by management and only later uncovered by outside parties. These undisclosed breaches are often linked to more severe consequences and result in a larger decline in equity value. This raises the possibility that some data breaches remain undiscovered to this day, although this cannot be confirmed.

To tackle the problem of low voluntary disclosure of data breaches, state authorities in the United States gradually introduced data breach disclosure laws (Ashraf & Sunder, 2023; Boasiako & Keefe, 2021; Perkins Coie, 2020). California was the first state to approve a data breach disclosure law in 2002, and by 2018, all states had adopted similar laws, as shown in Figure 1. These laws require firms to promptly notify relevant parties and government agencies in case of a data breach (Perkins Coie, 2020). Firms that fail to comply with this obligation can face penalties.

Fig. 1. Timing of approval of data breach disclosure laws across states.

The adoption of data breach disclosure laws imposes regulatory costs on firms that conceal information about such breaches, thereby intensifying their concern about cybersecurity. In the absence of regulations, firms may opt to underreport or hide data breaches, particularly severe ones (Amir et al., 2018). However, the mandatory disclosure requirements compel firms to promptly report detected data breaches (Boasiako & Keefe, 2021). These requirements hold firms accountable for non-compliance and subject them to penalties if they conceal breach information. Besides fixed penalties for non-disclosure, breached firms may also face penalties for delayed notification. Given the mandatory disclosure requirements and the resulting regulatory costs for non-compliance, the adoption of data breach disclosure laws heightens firms’ awareness and concern about cybersecurity, motivating them to take actions to mitigate the potential negative impact of data breaches.

2.3. The insurance-like protection function of CSR

This study builds on the literature exploring the insurance-like protection function of CSR. Godfrey (2005) first introduced the idea that CSR acts as an insurance mechanism that helps firms build up moral capital and positive stakeholder perceptions, thereby reducing the impact of negative events. This theory is supported by the finding of Godfrey et al. (2009), who conducted an event study and found that firms engaging in CSR activities, particularly those aimed at secondary stakeholders, experience a smaller drop in shareholder value when faced with legal or regulatory actions.

This theory was further investigated in a variety of contexts. For instance, Lins et al. (2017) found that firms with better CSR records experienced a smaller decline in stock prices during the 2008–2009 global financial crisis. Koh et al. (2014) studied the insurance value of CSR for firms facing litigation risks, while Bartov et al. (2021) showed the insurance function of CSR for firms experiencing unintentional earnings restatements. Shiu & Yang (2017) explored the distinction between subsequent negative events and initial ones, while Luo et al. (2018) tackled the related moral hazard problem.

However, these studies primarily focused on the effect of established CSR in mitigating external shocks. If CSR truly serves as a type of insurance, then firms should have incentives to proactively increase their CSR engagement when they anticipate future risks or uncertainties. This prediction is supported by the research of Jia et al. (2020), who studied the impact of an unexpected increase in short selling threats due to the 2005 Regulation SHO. In their study, some firms were randomly designated as pilot firms, and their restrictions on short selling were lifted. Their results showed that pilot firms significantly enhance their CSR engagement in response to the increased short selling threats.

2.4. Hypothesis

In developing my hypothesis on how data breach disclosure laws affect firms’ social responsibility initiatives, I considered the negative consequences of data breaches, the role of data breach disclosure laws, and the insurance-like protection function of CSR. Previous studies showed that data breaches can have substantial negative impacts on firm reputation (Akey et al., 2021; Gwebu et al., 2018), sales growth (Huang & Wang, 2021), shareholder value (Kamiya et al., 2021), legal liabilities (Romanosky et al., 2014), and financing activities (Garg, 2020; Iyer et al., 2020). Given these negative consequences, firms tend to conceal information about data breaches, especially the severe ones (Amir et al., 2018). To tackle this problem, state authorities in the United States gradually approved data breach disclosure laws (Ashraf & Sunder, 2023; Perkins Coie, 2020). The adoption of data breach disclosure laws decreases the likelihood of firms concealing information about data breaches, and thus cybersecurity becomes a more prevalent concern (Boasiako & Keefe, 2021). Under this background, I expect that firms will have stronger incentives to make strategic choices to mitigate the negative effects of data breaches.

I hypothesize that firms will increase their engagement in CSR as one specific strategic choice following the enactment of data breach disclosure laws. This hypothesis is based on prior literature suggesting that CSR activities can function as an insurance-like protection mechanism (Godfrey, 2005; Godfrey et al., 2009). By increasing their commitment to CSR, firms can accumulate moral capital and build trust with stakeholders, which may help mitigate negative effects of data breaches. Furthermore, as data breaches are more relevant to firms with high cybersecurity risk (Florakis et al., 2022), such firms are anticipated to exhibit a greater increase in CSR engagement compared to those with low cybersecurity risk. This reasoning supports the use of a difference-in-differences research design to leverage the differences in the timing of adopting data breach disclosure laws across states and the variation in firms’ exposure to cybersecurity risk. In conclusion, I propose the following hypothesis:

H $_{1}$ $_{1}$ : Firms increase their engagement in CSR following the enactment of data breach disclosure laws, especially if they face high cybersecurity risk.

3. Research Design

3.1. Sample development

The sample development process is outlined in Table 1, Panel A. I began with the universe of U.S. non-financial firms in Compustat during the sample period 1996–2018, which was then merged with MSCI ESG KLD STATS (hereafter referred to as KLD) to acquire CSR performance measures. Firms’ historical business addresses were collected from the header information of 10-K filings, with 1996 being the starting year of the sample period. Firms that changed their business addresses or have missing data for CSR, cybersecurity risk, or control variables were excluded from the sample. The final sample consisted of 21,727 firm-year observations from 2675 unique firms.

**Table 1. Sample Development Process and Distribution Across Years**
Panel A: Sample Development Process				No. of Observations
The observations in Compustat during the sample period 1996–2018				225,698
Less
Those not covered by KLD				(188,415)
Those that are headquartered outside the United States				(1945)
Those that changed their business addresses during the sample period				(2645)
Those in the finance and utilities industries				(8714)
Those with missing data on CSR performance				(18)
Those with missing data on cybersecurity risk				(1982)
Those with missing data on control variables				(252)
Final sample				21,727
Panel B: Distribution Across Years
Year	Observations	Percentage (%)	Cum. Percentage	KLD Coverage
1996	161	0.74	0.74	S&P 500, KLD 400
1997	169	0.78	1.52	S&P 500, KLD 400
1998	181	0.83	2.35	S&P 500, KLD 400
1999	193	0.89	3.24	S&P 500, KLD 400
2000	186	0.86	4.10	S&P 500, KLD 400
2001	383	1.76	5.86	Russell 1000
2002	402	1.85	7.71	Russell 1000
2003	1008	4.64	12.35	Russell 3000
2004	1117	5.14	17.49	Russell 3000
2005	1080	4.97	22.46	Russell 3000
2006	1167	5.37	27.83	Russell 3000
2007	1278	5.88	33.71	Russell 3000
2008	1336	6.15	39.86	Russell 3000
2009	1367	6.29	46.15	Russell 3000
2010	1392	6.41	52.56	Russell 3000
2011	1334	6.14	58.70	Russell 3000
2012	1359	6.25	64.95	Russell 3000
2013	1225	5.64	70.59	Russell 3000
2014	1186	5.46	76.05	Russell 3000
2015	1317	6.06	82.11	Russell 3000
2016	1313	6.04	88.15	Russell 3000
2017	1255	5.78	93.93	Russell 3000
2018	1318	6.07	100.00	Russell 3000
Total	21,727	100.00

It should be noted that the coverage of KLD varies over the sample period. Initially, it included companies listed in the S&P 500 and KLD 400 indices, then expanded to the Russell 1000 Index in 2001 and the Russell 3000 Index in 2003. This led to a varying number of observations across years, as shown in Panel B of Table 1. In the robustness tests, I used an alternative sample period (2003–2018) that only includes the Russell 3000 firms, and the results remain similar.

3.2. Measure of social responsibility initiatives

A firm’s social responsibility initiatives were measured using its CSR score as recorded in the KLD. KLD collects information on a firm’s CSR performance from various sources, such as annual reports, corporate websites, and news articles, and it has been widely used in prior research (e.g., Albuquerque et al., 2019; Deng et al., 2013; Ioannou & Serafeim, 2015; Jia et al., 2020; Kacperczyk, 2009; Servaes & Tamayo, 2013; Zhang et al., 2020). I focused on six categories of CSR (excluding corporate governance): community, diversity, employee relations, environmental performance, human rights, and product. In recent years, institutions such as KPMG advocated for the joint analysis of cybersecurity and ESG.⁵ This could potentially reshape the future landscape of ESG metrics. It is fortuitous that, within the sample period, the KLD dataset does not include a dedicated cybersecurity category. This facilitates an independent examination of CSR initiatives alongside cybersecurity concerns.

Each category of CSR measures in the KLD includes “strengths” and “concerns” indicators. “Strengths” refer to proactive efforts to do good, while “concerns” reflect passive harmful behaviors (Ioannou & Serafeim, 2015; Kacperczyk, 2009). The “strengths” or “concerns” indicator is set to 1 if a firm is viewed as having the described positive or negative behavior by the KLD. The number of indicators for each CSR category varies among observations. To ensure comparability, I divided the number of “strengths” and “concerns” by the maximum possible number of “strengths” and “concerns” in each category, following the method used in prior studies (e.g., Albuquerque et al., 2019; Deng et al., 2013; Servaes & Tamayo, 2013). Net CSR was calculated as the difference between the scaled “strengths” and the scaled “concerns.” Net CSR was used as the main dependent variable in most of the analyses. To examine the separate roles of “strengths” and “concerns,” I calculated both the CSR Strengths score and CSR Concerns score and compared their responses to the legislative change regarding data breach disclosure. Robustness tests used the environmental and social pillar scores from the Refinitiv Asset4 ESG database as alternative measures of social responsibility initiatives, and the results remain consistent.

3.3. Measure of adopting data breach disclosure laws

The adoption of data breach disclosure laws was measured based on the security breach notification chart collected by Perkins Coie (2020). As CSR can be viewed as a precautionary strategy (Godfrey, 2005; Jia et al., 2020), I defined the adoption of data breach disclosure laws based on the years of approval rather than the years they took effect.⁶ The indicator $D i s c L a w_{s t}$ $D i s c L a w_{s t}$ takes the value 1 if a data breach disclosure law had been approved in a firm’s headquarter state s in year t, otherwise 0, following Boasiako & Keefe (2021) and Ashraf & Sunder (2023).⁷

3.4. Measure of cybersecurity risk

The measure of a firm’s exposure to cybersecurity risk was derived from Florakis et al. (2022), who assessed the exposure by comparing a firm’s disclosure of cybersecurity risk factors in the item 1A section of 10-K filings with those by firms that experienced data breaches. A firm’s exposure to cybersecurity risk was determined by the linguistic similarity — that is, the extent of overlap in word vectors — between the firm’s cybersecurity risk factors disclosure and that of breached firms, with a higher similarity indicating a greater risk exposure.⁸ Florakis et al. (2022) showed that this intuitive and straightforward measure can predict the occurrence of future data breaches. This method based on linguistic similarity has been extensively used in other studies. For example, Hoberg & Phillips (2010) and Hoberg et al. (2014) investigated firms’ textual similarity in product descriptions in 10-K filings.

The cybersecurity risk measure provided by Florakis et al. (2022) is available only for the period spanning 2007–2018, owing to data limitations. Despite this constraint, I assert that a firm’s exposure to cybersecurity risk is primarily influenced by its operational practices and technological infrastructure. This assertion finds support in Florakis et al. (2022) research, which illustrated that firms heavily reliant on information technology are more likely to encounter a high level of cybersecurity risk, whereas traditional firms typically exhibit lower vulnerability. Consequently, even though this measure of cybersecurity risk may experience variations over time, its cross-sectional disparities should remain relatively stable. To account for this, I averaged each firm’s cybersecurity risk measure over the period 2007–2018, which yielded a measure with cross-sectional variation but no time-series variation. This measure was employed as the firm-specific cybersecurity risk measure for the sample period from 1996 to 2018. I acknowledge the limitations of this approach, and hence in the robustness tests, the years 2007–2018 were used as an alternative sample period. Although the variation in the adoption of data breach disclosure laws is substantially reduced in this shortened sample period, the results remain similar.⁹

An indicator variable for high-level cybersecurity risk, Cybersecurity Risk, was defined based on the above firm-specific cybersecurity risk measure. The sample median was used as the threshold for high-level cybersecurity risk. Cybersecurity Risk takes the value 1 if a firm is exposed to high-level cybersecurity risk, 0 otherwise; this variable was used in the main analysis. Untabulated robustness tests (a) defined high-level cybersecurity risk based on the top tertile and top quartile and (b) used a continuous measure of cybersecurity risk; the results remain consistent.

3.5. Model specification

The research design employed a difference-in-differences approach, taking advantage of the year variation in the adoption of data breach disclosure laws across states and the difference in firms’ exposure to cybersecurity risk. The model specification is as follows :

CSR i t = β 1 D i s c L a w s t \times C y b e r s e c u r i t y R i s k i + δ X i t + α i + α s t + ε i t . {CSR}_{i t} = β_{1} D i s c L a w_{s t} \times C y b e r s e c u r i t y R i s k_{i} + δ X_{i t} + α_{i} + α_{s t} + ε_{i t} . <math display="block" altimg="eq-00003.gif"><msub><mrow><mstyle><mtext mathvariant="normal">CSR</mtext></mstyle></mrow><mrow><mi>i</mi><mi>t</mi></mrow></msub><mo>=</mo><msub><mrow><mi>β</mi></mrow><mrow><mn>1</mn></mrow></msub><mi>D</mi><mi>i</mi><mi>s</mi><mi>c</mi><mspace width=".17em" class="nbsp"></mspace><mi>L</mi><mi>a</mi><msub><mrow><mi>w</mi></mrow><mrow><mi>s</mi><mi>t</mi></mrow></msub><mo>\times</mo><mi>C</mi><mi>y</mi><mi>b</mi><mi>e</mi><mi>r</mi><mi>s</mi><mi>e</mi><mi>c</mi><mi>u</mi><mi>r</mi><mi>i</mi><mi>t</mi><mi>y</mi><mspace width=".17em" class="nbsp"></mspace><mi>R</mi><mi>i</mi><mi>s</mi><msub><mrow><mi>k</mi></mrow><mrow><mi>i</mi></mrow></msub><mo>+</mo><mi>δ</mi><msub><mrow><mi>X</mi></mrow><mrow><mi>i</mi><mi>t</mi></mrow></msub><mo>+</mo><msub><mrow><mi>α</mi></mrow><mrow><mi>i</mi></mrow></msub><mo>+</mo><msub><mrow><mi>α</mi></mrow><mrow><mi>s</mi><mi>t</mi></mrow></msub><mo>+</mo><msub><mrow><mi>ε</mi></mrow><mrow><mi>i</mi><mi>t</mi></mrow></msub><mo>.</mo></math> (1)

The dependent variable ${CSR}_{i t}$ ${CSR}_{i t}$ represents firm i’s social responsibility initiatives in year t, and it is proxied by the Net CSR score in KLD. The coefficient of interest $β_{1}$ $β_{1}$ measures the impact of data breach disclosure laws on CSR, conditional on a firm’s exposure to cybersecurity risk. The model incorporates firm fixed effects $α_{i}$ $α_{i}$ and state-year fixed effects $α_{s t}$ $α_{s t}$ to account for time-invariant firm-specific factors, time trends, and the state-year-level variation.¹⁰ For instance, internet and digital assets have been increasingly popular over time, and this macro trend can be captured by the year element in state-year fixed effects $α_{s t}$ $α_{s t}$ . The level effects of $D i s c L a w_{s t}$ $D i s c L a w_{s t}$ and $C y b e r s e c u r i t y R i s k_{i}$ $C y b e r s e c u r i t y R i s k_{i}$ are subsumed by state-year fixed effects $α_{s t}$ $α_{s t}$ and firm fixed effects $α_{i}$ $α_{i}$ , respectively. In addition, the model includes a set of time-varying firm characteristics $X_{i t}$ $X_{i t}$ to further account for factors that may affect firms’ social responsibility initiatives. The detailed variable definitions are described in Appendix A.

3.6. Summary statistics

Table 2 presents summary statistics for the main variables. The mean of the dependent variable, Net CSR score, is 0.029, with a standard deviation of 0.124. CSR Strengths and CSR Concerns, which make up the Net CSR score, have means of 0.075 and 0.046, respectively. The variable Disc Law has a mean of 0.740, which indicates that data breach disclosure laws were adopted in 74% of the observations. The continuous Cybersecurity Risk measure has a mean of 0.252 and a standard deviation of 0.146.

**Table 2. Summary Statistics**
	N	Mean	SD	P25	Median	P75
Social responsibility initiatives
Net CSR	21,727	0.029	0.124	$- 0.037$ $- 0.037$	0.000	0.077
CSR Strengths	21,727	0.075	0.118	0.000	0.029	0.100
CSR Concerns	21,727	0.046	0.057	0.000	0.037	0.074
Each category of CSR
Community	17,282	0.030	0.168	0.000	0.000	0.000
Diversity	20,482	$- 0.048$ $- 0.048$	0.358	$- 0.333$ $- 0.333$	0.000	0.125
Employee Relations	21,594	0.014	0.181	0.000	0.000	0.000
Environmental Performance	21,710	0.041	0.151	0.000	0.000	0.000
Human Rights	14,768	0.004	0.109	0.000	0.000	0.000
Product	18,857	0.031	0.237	0.000	0.000	0.000
Alternative measures of CSR
ES Score	8723	32.778	22.928	14.205	25.340	48.245
Environmental	8723	24.820	27.556	0.000	13.770	45.360
Social	8723	40.742	21.688	23.820	36.910	55.240
Data breach disclosure laws and cybersecurity risk
Disc Law	21,727	0.740	0.439	0.000	1.000	1.000
Cybersecurity Risk	21,727	0.500	0.500	0.000	0.000	1.000
Cybersecurity Risk (Continuous)	21,727	0.252	0.146	0.160	0.255	0.363
Control variables
Size	1,727	7.086	1.608	5.918	6.949	8.111
Leverage	21,727	0.194	0.195	0.004	0.159	0.304
Profitability	21,727	0.063	0.163	0.016	0.077	0.142
Market to Book	21,727	3.581	5.400	1.565	2.534	4.275
Cash Holding	21,727	0.231	0.283	0.043	0.129	0.309
PPE	21,727	0.269	0.247	0.086	0.188	0.375
Intangible Assets	21,727	0.227	0.247	0.026	0.150	0.350
Sales Growth	21,727	0.131	0.305	0.001	0.080	0.192
Variables for cross-sectional analyses
Profit Margin	21,703	0.025	0.142	0.009	0.048	0.095
R&D Intensity	21,703	0.060	0.100	0.000	0.006	0.081
Kaplan–Zingales Index	19,935	$- 4.374$ $- 4.374$	8.148	$- 5.698$ $- 5.698$	$- 1.302$ $- 1.302$	0.682
Size–Age Index	21,727	$- 3.774$	0.572	$- 4.317$	$- 3.712$	$- 3.300$
IT Officer	16,105	0.090	0.286	0.000	0.000	0.000
Tech Committee	20,317	0.044	0.206	0.000	0.000	0.000

4. Main Results

4.1. Data breach disclosure laws and CSR

Before delving into the main analysis, a univariate assessment was conducted to directly evaluate the impact of data breach disclosure laws across different groups. The results are reported in Appendix B. In the low Cybersecurity Risk group, CSR performance increased by 0.029 (from −0.014 to 0.015). In the high Cybersecurity Risk group, CSR performance experienced a more substantial increase of 0.055 (from 0.008 to 0.063). The magnitude of increase in the high-risk group is 0.026 greater than that observed in the low-risk group, which provides preliminary evidence to support my prediction.

Moving forward, the main regression analysis yielded the following results, as presented in Table 3. Column 1 corresponds to the main analysis based on regression equation (1) with firm fixed effects and state-year fixed effects. The coefficient for Disc Law×Cybersecurity Risk is 0.026, which is statistically significant at the 1% level. These findings align with the hypothesis and suggest that firms facing high cybersecurity risk exhibit a greater increase in their engagement with CSR compared to those with low cybersecurity risk when data breach disclosure laws are in place. Notably, the magnitude of the coefficient 0.026 in Column 1 represents 21% ( $= 0.026$ /0.124) of the standard deviation of Net CSR, underscoring its economic significance.

**Table 3. Main Results: Data Breach Disclosure Laws and CSR**
Dependent Variable	Net CSR
	(1)	(2)	(3)
*Disc Law* × *Cybersecurity Risk*	0.026***	0.029***	0.024***
	(5.88)	(5.33)	(4.70)
Disc Law		0.016***	0.025***
		(3.34)	(6.48)
Cybersecurity Risk			0.004
			(0.78)
Size	0.001	0.056***	0.033***
	(0.23)	(14.45)	(11.26)
Leverage	0.025**	0.079***	$- 0.011 *$
	(2.67)	(7.51)	(−1.98)
Profitability	0.012	0.030**	0.010
	(1.63)	(2.65)	(1.38)
Market to Book	0.000	0.001***	0.002***
	(0.21)	(4.56)	(10.99)
Cash Holding	0.009*	0.041***	0.063***
	(1.92)	(8.81)	(13.77)
PPE	$- 0.014$	0.004	$- 0.029$ ***
	(−1.24)	(0.30)	(−4.15)
Intangible Assets	0.000	0.028***	0.015*
	(0.07)	(5.75)	(1.83)
Sales Growth	$- 0.004$ *	$- 0.005$ *	$- 0.011$ ***
	(−1.98)	(−2.22)	(−2.80)
Firm fixed effects	Yes	Yes	No
State-year fixed effects	Yes	No	No
Observations	21,727	21,727	21,727
Adjusted R-squared	0.617	0.480	0.216

Notes: This table presents the impact of data breach disclosure laws on firms’ social responsibility initiatives conditional on cybersecurity risk. The dependent variable, Net CSR, is calculated as CSR Strengths minus CSR Concerns. The variable of interest is Disc Law × Cybersecurity Risk, where Disc Law is the indicator for adopting data breach disclosure laws and Cybersecurity Risk is the indicator for high-level firm-specific cybersecurity risk. The level effects of Disc Law and Cybersecurity Risk are subsumed by state-year fixed effects and firm fixed effects, respectively. The detailed definitions of the variables are listed in Appendix A. All continuous variables are Winsorized at the 1% and 99% level. Standard errors are clustered at the state level, and t-statistics are reported in brackets. ***, **, and * indicate statistical significance at the 1%, 5%, and 10% level, respectively.

To ensure robustness, Columns 2 and 3 exclude state-year fixed effects and firm fixed effects in a stepwise manner. The coefficient estimates for Disc Law × Cybersecurity Risk remain quantitatively similar in both columns.¹¹ Moreover, the coefficient estimates for Disc Law are 0.016 (Column 2) and 0.025 (Column 3), both statistically significant at the 1% level. This supports the first part of the hypothesis: firms’ engagement with CSR increases overall following the enactment of data breach disclosure laws.

I further evaluated the impact of cybersecurity on CSR relative to other determinants documented in the literature. A shift of one standard deviation in the independent variable Disc Law × Cybersecurity Risk corresponds to a 10.19% increase in CSR, calculated as $0.026 \times 0.486$ /0.124.¹² This magnitude surpasses those of most factors identified in prior studies. For instance, Dyck et al. (2019) results implied a 0.80% change in the social score and a 1.50% change in the environmental score. Comparable studies by Xu & Kim (2022), Hong et al. (2012), Sun & Gunia (2018), and Kacperczyk (2009) indicated changes of 0.76%, 5.74%, 9.44%, and 39.43%, respectively.¹³ The calculation of these economic magnitudes is detailed in Appendix C.

Table 4, Panel A, compares the two components of Net CSR, namely, CSR Strengths and CSR Concerns. The coefficient when regressing on CSR Strengths is statistically significant, and the coefficient estimate 0.029 represents 25% ( $= 0.029$ /0.118) of the standard deviation of CSR Strengths. On the other hand, when regressing on CSR Concerns, the coefficient 0.001 is not statistically significant. This suggests that the improvement in CSR engagement after adopting data breach disclosure laws is primarily driven by firms’ proactive efforts to do good rather than a passive approach of avoiding harm.

**Table 4. CSR Strengths, Concerns, and Each Category of CSR**
Panel A: CSR Strengths Versus Concerns
Dependent Variable					CSR Strengths	CSR Concerns
					(1)	(2)
*Disc Law* × *Cybersecurity Risk*					0.029***	0.001
					(6.75)	(0.82)
Controls					Yes	Yes
Firm fixed effects					Yes	Yes
State-year fixed effects					Yes	Yes
Observations					21,727	21,727
Adjusted R-squared					0.658	0.658
Panel B: Each Category of CSR
Dependent Variable	Community	Diversity	Employee Relations	Environmental Performance	Human Rights	Product
	(1)	(2)	(3)	(4)	(5)	(6)
*Disc Law* × *Cybersecurity Risk*	0.011*	0.054***	0.018**	0.038***	− 0.001	0.029**
	(1.71)	(3.51)	(2.26)	(3.60)	(−0.11)	(2.62)
Controls	Yes	Yes	Yes	Yes	Yes	Yes
Firm fixed effects	Yes	Yes	Yes	Yes	Yes	Yes
State-year fixed effects	Yes	Yes	Yes	Yes	Yes	Yes
Observations	17,282	20,482	21,594	21,710	14,768	18,857
Adjusted R-squared	0.301	0.564	0.465	0.483	0.345	0.340

Notes: Panel A separately examines the strengths and concerns attributes of firms’ CSR. The dependent variables in Columns 1 and 2 are CSR Strengths and CSR Concerns, respectively. Panel B examines each category of CSR, and the dependent variables are the net CSR score for each category. Variable definitions are described in Appendix A. ***, **, and * indicate statistical significance at the 1%, 5%, and 10% level, respectively.

Panel B of Table 4 provides a further analysis on each category of CSR. Out of the six categories, only the Human Rights category showed an insignificant result. This suggests that firms primarily focus on five categories of CSR: community, diversity, employee relations, environmental performance, and product. This aligns with previous studies, such as Jiao (2010) and Zhang et al. (2020), which excluded Human Rights when measuring the CSR performance. In a supplementary analysis, a dependent variable based on the above five categories of CSR was used, yielding similar results.

4.2. Mechanism analysis: The role of firms’ potential losses from data breaches

I explored the moderating effect of firms’ potential losses from data breaches, offering insight into the mechanism that drives their social responsibility initiatives. H $_{1}$ posits that firms engage in CSR as a means to mitigate the adverse impact of data breaches. Consequently, if this holds true, I anticipated that firms facing the prospect of more substantial losses from such breaches would have stronger incentives to embrace CSR, thereby offsetting potential future losses.

I measured a firm’s potential losses from data breaches based on the extent of proprietary information it processes, which has been suggested to make firms more vulnerable to data breaches (Ettredge et al., 2018; Hughes et al., 2023). To measure the extent of proprietary information processing, I used two proxies: (a) Profit Margin and (b) Research and Development (R&D) Intensity. High profit margins are usually viewed as a signal of proprietary information (Huang et al., 2017), while R&D activities directly contribute to the accumulation of proprietary information and competitive advantages (André et al., 2016; Ellis et al., 2012). Profit Margin was measured as income before extraordinary items, divided by sales revenue, and R&D Intensity as R&D expenses divided by sales revenue. Firms with high Profit Margin or high R&D Intensity are likely to incur greater losses from data breaches.

Table 5 presents the results. For firms with a high Profit Margin (Column 2), the coefficient of Disc Law × Cybersecurity Risk is 0.035 and is statistically significant at the 1% level. In contrast, the coefficient in the subsample with low Profit Margin (Column 1) is 0.016 and is only statistically significant at the 10% level, indicating a weaker relationship. The one-tailed Wald test suggests that the coefficient in Column 2 is significantly larger than that in Column 1. The same pattern is observed in Columns 3–4, where the coefficient of 0.046 in the subsample with high R&D Intensity in Column 4 is significantly greater than the coefficient of 0.013 in the subsample of low R&D Intensity in Column 3. These results indicate that the potential losses from data breaches serve as a motivation for firms to engage in more CSR activities, thus confirming the mechanism outlined in the hypothesis development.

**Table 5. Mechanism Analysis: The Role of Firms’ Potential Losses from Data Breaches**
	Profit Margin		R&D Intensity
	Low	High	Low	High
	(1)	(2)	(3)	(4)
*Disc Law* × *Cybersecurity Risk*	0.016*	0.035***	0.013*	0.046***
	(1.85)	(5.76)	(1.84)	(5.21)
Controls	Yes	Yes	Yes	Yes
Firm fixed effects	Yes	Yes	Yes	Yes
State-year fixed effects	Yes	Yes	Yes	Yes
Observations	11,183	10,520	10,857	10,846
Adjusted R-squared	0.598	0.645	0.568	0.656
Difference in coefficient on	0.019***		0.033***
Disc Law ×Cybersecurity Risk	(2.90)		(3.45)

Notes: The underlying mechanism were explored by conducting a cross-sectional analysis based on firms’ potential losses from data breaches, which are proxied by (a) Profit Margin (Columns 1–2) and (b) R&D Intensity (Columns 3–4). Net CSR serves as the dependent variable. The odd (even) columns represent the subsamples with low (high) levels of potential losses from data breaches. The difference in coefficients between odd and even columns were tested based on one-tailed Wald tests. *** and * indicate statistical significance at the 1% and 10% level, respectively.

4.3. The role of firms’ financial constraints

Next, the influence of financial constraints on firms’ CSR initiatives following the disclosure laws was investigated. Previous research suggested that limited financial resources can impede a firm’s involvement in CSR (Hong et al., 2012; Sun & Gunia, 2018; Xu & Kim, 2022). Consistent with this literature, I anticipated that, in this study’s context, a firm’s financial situation may constrain its incentive to invest in CSR after the enactment of data breach disclosure laws.

To test this prediction, I employed two measures of financial constraints: (a) the Kaplan–Zingales Index (Kaplan & Zingales, 1997) and (b) the Size–Age Index (Hadlock & Pierce, 2010). Firms with a low Kaplan–Zingales Index or a low Size–Age Index are generally viewed as having greater financial resources and thus fewer financial constraints.

The results are reported in Table 6. In the subsample with a low Kaplan–Zingales Index in Column 2, the coefficient of Disc Law × Cybersecurity Risk is 0.031. This coefficient is significantly greater than the coefficient 0.013 in the subsample with a high Kaplan–Zingales Index in Column 1, as confirmed by the one-tailed Wald test. The same pattern is observed in the cross-sectional analysis of Size–Age Index in Columns 3–4. These results suggest that firms with greater financial resources are more inclined to respond to the adoption of data breach disclosure laws by increasing their engagement in CSR.

**Table 6. The Role of Firms’ Financial Constraints**
	Kaplan−Zingales Index		Size−Age Index
	High	Low	High	Low
	(1)	(2)	(3)	(4)
*Disc Law* × *Cybersecurity Risk*	0.013*	0.031***	0.010	0.033***
	(1.70)	(4.05)	(1.42)	(5.93)
Controls	Yes	Yes	Yes	Yes
Firm fixed effects	Yes	Yes	Yes	Yes
State-year fixed effects	Yes	Yes	Yes	Yes
Observations	9972	9963	10,870	10,857
Adjusted R-squared	0.591	0.663	0.620	0.650
Difference in coefficient on	0.018***		0.023***
Disc Law × Cybersecurity Risk	(3.04)		(3.72)

Notes: The influence of firms’ financial constraints was examined through cross-sectional analyses. Financial constraints are proxied by (a) Kaplan–Zingales Index (Columns 1–2) and (b) Size–Age Index (Columns 3–4). Net CSR serves as the dependent variable. The odd (even) columns correspond to the subsamples with high (low) levels of financial constraints. The differences in coefficients between odd and even columns were tested using one-tailed Wald tests. *** and * indicate statistical significance at the 1% and 10% level, respectively.

4.4. IT investments versus CSR initiatives

Finally, I explored the potential impact of data breach disclosure laws on IT investments and their subsequent effects on CSR initiatives. The adoption of data breach disclosure laws may serve as a catalyst for firms to reevaluate their IT capabilities and prevent cybersecurity incidents. However, the extent of this impact is unclear. Moreover, IT investments might potentially influence a firm’s CSR initiatives. When firms allocate resources to enhance their IT capabilities, it signals a commitment to cybersecurity. In this process, firms may intensify CSR efforts as well. However, on the other hand, substantial IT improvements might make extensive CSR initiatives redundant, potentially leading to reduced CSR engagement. Hence, it is unclear whether CSR initiatives can be replaced by IT investments.

To test the above conjecture, I utilized proxies for IT investments, specifically focusing on the presence of IT officers or board-level technology committees.¹⁴ These practices are recognized as effective mechanisms to manage IT resources (Ashraf & Sunder, 2023; Banker & Feng, 2019; Higgs et al., 2016; Huang & Wang, 2021). Given that financial commitments to cybersecurity investments are not publicly disclosed, IT investments were inferred based on the adoption of the aforementioned IT-related practices.

Table 7, Panel A, reveals an increase in both the appointments of IT officers and the formation of technology committees following the enactment of data breach disclosure laws. This trend suggests that firms proactively invested in IT resources to address growing cybersecurity concerns. Nonetheless, despite these investments, the firm-year-level Cybersecurity Risk remains unchanged. This finding highlights the limitations of IT investments in mitigating the likelihood of data breaches. Additionally, it underscores the relative independence between the variable Disc Law and Cybersecurity Risk in the research design.

**Table 7. IT Investments Versus CSR Initiatives**
Panel A: IT Investments and Cybersecurity Risk in Response to the Laws
Dependent Variable		IT Officer	Tech Committee	Cybersecurity Risk
		(1)	(2)	(3)
*Disc Law*		0.016**	0.008*	$- 0.003$
		(2.07)	(1.96)	(−0.30)
Firm fixed effects		Yes	Yes	Yes
Year fixed effects		Yes	Yes	Yes
Observations		16,105	20,317	13,835
Adjusted R-squared		0.469	0.661	0.739
Panel B: CSR Initiatives Across Subsamples with Different IT Investments
	IT Officer		Tech Committee
	Without	With	Without	With
	(1)	(2)	(3)	(4)
*Disc Law* × *Cybersecurity Risk*	0.025***	0.144***	0.026***	0.165**
	(4.75)	(3.23)	(5.55)	(2.81)
Controls	Yes	Yes	Yes	Yes
Firm fixed effects	Yes	Yes	Yes	Yes
State-year fixed effects	Yes	Yes	Yes	Yes
Observations	14,656	1449	19,414	903
Adjusted R-squared	0.624	0.695	0.622	0.739
Difference in coefficient on	0.119		0.139
Disc Law × Cybersecurity Risk	(0.69)		(0.09)

Notes: Potential IT investments were investigated following the enactment of data breach disclosure laws, along with their impact on CSR initiatives. Panel A shows the response of IT investments (represented by the presence of IT officers or technology committees) and the firm-year cybersecurity risk measure to these laws. Panel B delves into the CSR initiatives of firms within subsamples characterized by varying IT investments. Net CSR serves as the dependent variable in Panel B. ***, **, and * indicate statistical significance at the 1%, 5%, and 10% level, respectively.

Panel B examines the subsequent effects on CSR initiatives. The sample was partitioned based on the presence of IT officers and technology committees. Firms with IT officers, in Column 2, exhibit a coefficient estimate of 0.144 for Disc Law × Cybersecurity Risk. In contrast, this coefficient is 0.025 for the firms without IT officers, as shown in Column 1. Both coefficients are statistically significant at the 1% level. Similarly, in Column 4, firms with technology committees demonstrated a coefficient of 0.165, while it is 0.026 for firms without technology committees in Column 3. Both coefficients remain statistically significant.

These results suggest that IT investments and CSR initiatives are distinct strategies for managing cybersecurity risk. Even when firms make substantial IT investments, their motivation to engage in CSR remains high. Although the relatively small sample size of firms with IT officers or technology committees may limit the statistical power of the tests, the overall pattern remains consistent.¹⁵ In summary, these findings indicate that firms recognize the importance of both IT investments and CSR. Importantly, CSR initiatives cannot be substituted by IT investments when managing cybersecurity risks.

5. Robustness Tests

5.1. Alternative model specifications

Two alternative model specifications were employed to ensure the robustness of the results. First, Akey et al. (2021) and Bamiatzi et al. (2023) found that following data breaches, firms tend to increase their engagement in CSR to repair their reputations. In this context, the occurrence of data breaches could potentially be a correlated omitted variable that might bias the estimations. To address this concern, observations from firms that experienced data breaches were excluded. As shown in Table 8, Panel A (Column 1), the results remain robust, with a coefficient of 0.023 for Disc Law × Cybersecurity Risk, which is quantitatively similar and statistically significant at the 1% level.

**Table 8. Results for Alternative Model Specifications, Sample Periods, and CSR Measures**
Panel A: Alternative Model Specifications
		Excluding Breached Firms	Stacked Sample
		(1)	(2)
*Disc Law* × *Cybersecurity Risk*		0.023***	0.011***
		(5.24)	(4.94)
Controls		Yes	Yes
Firm fixed effects		Yes	Yes
State-year fixed effects		Yes	Yes
Observations	19,224	22,782
Adjusted R-squared		0.598	0.647
Panel B: Alternative Sample Periods
		2003–2018	2007–2018
		(1)	(2)
*Disc Law* × *Cybersecurity Risk*		0.023***	0.016**
		(4.88)	(2.61)
Controls		Yes	Yes
Firm fixed effects		Yes	Yes
State-year fixed effects		Yes	Yes
Observations		20,052	15,680
Adjusted R-squared		0.633	0.666
Panel C: Alternative Measures of CSR as the Dependent Variables
Dependent Variable	ES Score	Environmental	Social
	(1)	(2)	(3)
*Disc Law* × *Cybersecurity Risk*	4.687***	6.275***	3.037***
	(5.89)	(6.13)	(3.45)
Controls	Yes	Yes	Yes
Firm fixed effects	Yes	Yes	Yes
State-year fixed effects	Yes	Yes	Yes
Observations	8723	8723	8723
Adjusted R-squared	0.858	0.837	0.805

Notes: This table reports the robustness tests on alternative model specifications, sample periods, and measures of CSR. Panel A shows the results on alternative model specifications. Column 1 excludes breached firms to eliminate the interference of heightened CSR activities after data breach incidents, as reported by Akey et al. (2021) and Bamiatzi et al. (2023). Column 2 uses a stacked sample to address the concern on the staggered adoption of data breach disclosure laws, following the method of Cengiz et al. (2019). Panel B presents the results based on alternative sample periods. Column 1 uses 2003–2018 as the sample period; the coverage of KLD expanded to Russell 3000 firms in 2003. Column 2 uses the sample period of 2007–2018, the original period used to calculate the cybersecurity risk measure by Florakis et al. (2022). Net CSR serves as the dependent variable in Panels A and B. Panel C reports the results based on alternative measures of CSR: the ES Score (Column 1), the Environmental Pillar Score (Column 2), and the Social Pillar Score (Column 3) from the Refinitiv Asset4 ESG database during the period of 2002–2018. *** and ** indicate statistical significance at the 1% and 5% level, respectively.

Second, in the staggered adoption of laws across states, groups previously designated as treatment may later become control (Baker et al., 2022). To address this concern, I employed the method proposed by Cengiz et al. (2019) and utilized a stacked sample. Specifically, for each state that adopts a data breach disclosure law in year t, a state that never adopted the laws within a 10-year window (from $t - 5$ to $t + 4$ ) was used as its control group, and then cohorts were stacked based on relative years. The results in Column 2 of Panel A show that the coefficient of Disc Law × Cybersecurity Risk remains of similar magnitude and statistically significant at the 1% level. This suggests that the findings are robust to the stacked sample specification.

5.2. Alternative sample periods

Robustness tests were conducted using two alternative sample periods. First, as noted in Panel B of Table 1, the coverage of KLD expanded to the Russell 3000 index in 2003; thus, 2003–2018 was used as an alternative sample period. The results in Panel B (Column 1) in Table 8 show that the coefficient of Disc Law × Cybersecurity Risk is 0.023 and statistically significant at the 1% level.

Second, the original calculation of the cybersecurity risk measure by Florakis et al. (2022) was done for the period from 2007 to 2018. Therefore, 2007–2018 was used as another alternative sample period. As reported in Column 2 of Panel B in Table 8, the coefficient of Disc Law × Cybersecurity Risk remains similar and statistically significant at the 5% level. This supports the approach of extending the use of the cybersecurity risk measure to a longer sample period.

5.3. Alternative measures of CSR

ESG scores from the Refinitiv Asset4 were used as alternative measures of CSR to address the concern regarding the disagreement of CSR measures (Christensen et al., 2022; Radhakrishnan et al., 2018). Asset4 is another database specializing in ESG ratings and has been widely utilized in prior studies, particularly those based on an international setting, such as Feng et al. (2015), El Ghoul et al. (2017), Liang & Renneboog (2017), and Dyck et al. (2019). Its U.S. version commenced data collection in 2002 and encompasses Russell 1000 firms in the United States, yielding 8723 firm-year observations during the period of 2002–2018. Consistent with previous literature, three measures were employed: the average environmental and social pillar score (ES Score), the environmental pillar score (Environmental), and the social pillar score (Social). As detailed in Panel C of Table 8, all three coefficients are statistically significant, and the results remain robust across these three measures.

5.4. Validating the parallel trend assumption

The validity of the parallel trend assumption was assessed following the methodology proposed by Bertrand & Mullainathan (2003). Specifically, indicators were incorporated corresponding to the years relative to the approval year of data breach disclosure laws. These indicators were then interacted with the measure of cybersecurity risk. As indicated in Table 9, prior to the enactment of these laws, there was no significant difference in CSR performance between firms with high and low levels of cybersecurity risk. This finding aligns with the parallel trend assumption.

**Table 9. Validating the Parallel Trend Assumption**
Dependent Variable	Net CSR
	(1)	(2)
Disc Law $^{- 2}$ × Cybersecurity Risk	$- 0.001$	$- 0.001$
	(−0.23)	(−0.22)
Disc Law $^{- 1} \times$ Cybersecurity Risk	0.003	0.003
	(0.62)	(0.62)
Disc Law⁰ × Cybersecurity Risk	0.001	0.001
	(0.15)	(0.15)
Disc Law $^{+ 1}$ × Cybersecurity Risk	0.013***	0.013***
	(3.46)	(3.32)
Disc Law $^{2 +}$ × Cybersecurity Risk	0.027***	0.027***
	(5.88)	(5.79)
Controls	No	Yes
Firm fixed effects	Yes	Yes
State-year fixed effects	Yes	Yes
Observations	21,727	21,727
Adjusted R-squared	0.618	0.618

Notes: This table reports results on the parallel trend assumption test, following Bertrand & Mullainathan (2003). Disc Law $^{- 2}$ and Disc Law $^{- 1}$ represent the years preceding the approval of a data breach disclosure law. Disc Law⁰ corresponds to the year when a data breach disclosure law was approved in a state, while Disc Law $^{+ 1}$ and Disc Law $^{2 +}$ denote the years following the law’s approval. *** indicates statistical significance at the 1% level.

5.5. Addressing the concern of legal adoption in subsidiaries

Lastly, this study examined the issue of legal adoption within a firm’s subsidiary states. Some firms operate beyond their headquarters, exposing them to data breach disclosure laws even before their home state enacts such legislation. To address this concern, I introduced the variable Disc Law Sub, which serves as an indicator of data breach disclosure law adoption in a firm’s subsidiary states. The subsidiary information was collected from Exhibit 21 of the firm’s 10-K filing. Given that a firm’s subsidiaries may span multiple states and Disc Law Sub cannot be subsumed by state-year fixed effects, Disc Law Sub× Cybersecurity Risk and Disc Law Sub were included in the regression. The results, presented in Table 10, reveal the following: First, the coefficients of Disc Law Sub× Cybersecurity Risk and Disc Law Sub are not statistically significant. This suggests that the adoption of laws in subsidiary states does not impact firms’ CSR initiatives. Second, the coefficient for Disc Law× Cybersecurity Risk is 0.028, which is statistically significant at the 1% level. This coefficient aligns quantitatively with the main analysis, reinforcing the robustness of the findings even when accounting for firms’ subsidiaries.

**Table 10. Addressing the Concern of Legal Adoption in Subsidiaries**
Dependent Variable	Net CSR
	(1)	(2)
*Disc Law* × *Cybersecurity Risk*	0.028***	0.028***
	(4.57)	(4.63)
Disc Law Sub× Cybersecurity Risk	$- 0.002$	$- 0.002$
	(−0.42)	(−0.43)
Disc Law Sub	$- 0.006$	$- 0.006$
	(−1.21)	(−1.28)
Controls	No	Yes
Firm fixed effects	Yes	Yes
State-year fixed effects	Yes	Yes
Observations	21,727	21,727
Adjusted R-squared	0.616	0.617

Notes: This table presents results after accounting for the adoption of data breach disclosure laws in firms’ subsidiary states. The variable Disc Law Sub takes a value 1 if a data breach disclosure law has been adopted in any state where a firm’s subsidiary operates. *** indicates statistical significance at the 1% level.

6. Additional Analyses

6.1. The role of CSR in mitigating stock price declines after data breaches

I conducted an event study to demonstrate that CSR performance helps mitigate the stock price declines after data breaches. Prior studies showed that announcements of a data breach incident lead to a decrease in the firm’s stock price (Cavusoglu et al., 2004; Kamiya et al., 2021). If CSR performance serves as an insurance-like protection against data breaches, it should help mitigate the decrease in stock price.¹⁶ To test this prediction, I first calculated the cumulative abnormal returns (CAR) for firms surrounding data breach announcements and then compared the CARs between firms with high and low levels of CSR performance.

The results are reported in Table 11. Panel A outlines the sample creation process. Data breach announcements were obtained from the Privacy Rights Clearinghouse spanning from 2005 to 2018. By cross-referencing these with Compustat, 1016 data breaches involving U.S. public firms were identified. After removing observations not covered by both CRSP and KLD, 413 data breaches remained in the final sample. Panel B demonstrates that CARs surrounding data breach announcements are significantly negative, corroborating prior literature and underscoring the adverse impact of data breaches on stock prices.¹⁷ Panel C contrasts the CARs between firms with high and low CSR performance. The findings reveal that firms with high Net CSR experience a smaller decline in stock prices. This bolsters the argument that CSR functions as an insurance-like protection against data breaches. A closer look at the two components of Net CSR (i.e., CSR Strengths and CSR Concerns) indicates that the safeguarding effect primarily stems from firms’ proactive endeavors, as captured by CSR Strengths. Conversely, the CARs in firms with high and low levels of CSR Concerns do not exhibit a significant difference.

**Table 11. CSR and Stock Price Decline After Data Breaches**
Panel A: Collecting Data Breach Announcements
			Obs.
Data breach announcements in 2005–2018 after matching with Compustat			1016
Less
The observations that are not covered by CRSP			(389)
The observations that are not covered by KLD			(214)
Remaining data breach announcements			413
Panel B: Cumulative Abnormal Returns (CAR) Around Data Breach Announcements
	Market	FF3F	FF3F+Carhart
CAR [−1, +1]	$- 0.303$ **	$- 0.321$ **	$- 0.311$ **
	(0.015)	(0.010)	(0.015)
CAR [−2, +2]	$- 0.443$ **	$- 0.448$ **	$- 0.455$ **
	(0.021)	(0.019)	(0.018)
CAR [−5, +5]	$- 0.499$ **	$- 0.526$ **	$- 0.502$ **
	(0.043)	(0.031)	(0.039)
Panel C: CSR and CAR
	Market	FF3F	FF3F+Carhart
CAR (Low Net CSR)	$- 0.834$	$- 0.809$	$- 0.729$
CAR (High Net CSR)	$- 0.050$	$- 0.087$	$- 0.180$
Difference in CAR	0.784**	0.722**	0.549*
	(0.036)	(0.047)	(0.103)
CAR (Low CSR Strengths)	$- 0.815$	$- 0.811$	$- 0.758$
CAR (High CSR Strengths)	$- 0.069$	$- 0.084$	$- 0.152$
Difference in CAR	0.746**	0.727**	0.606*
	(0.043)	(0.046)	(0.082)
CAR (High CSR Concerns)	$- 0.399$	$- 0.506$	$- 0.409$
CAR (Low CSR Concerns)	$- 0.487$	$- 0.390$	$- 0.502$
Difference in CAR	$- 0.088$	0.116	$- 0.093$
	(0.581)	(0.394)	(0.585)

Notes: This table shows how CSR mitigates the stock price decline after data breaches. Panel A illustrates the process of collecting data breach announcements. Panel B presents the CARs surrounding data breach announcements based on the market model, Fama-French three-factor (FF3F) model, and Fama-French-Carhart four-factor (FF3F+Carhart) model. The estimation window includes the [−280, −61] trading days prior to the data breach announcements, and I use three event windows: [−1, +1], [−2, +2], and [−5, +5], following Kamiya et al. (2021). The p-values are reported in brackets. Panel C compares the difference in CARs between firms with high and low CSR performance based on the event window [−2, +2]. The CSR performance is measured by Net CSR, CSR strengths, and CSR Concerns. ** and * indicate statistical significance at the 5% and 10% level, respectively.

6.2. Firms’ concern about the reputational impact of data breaches

The link between cybersecurity and CSR initiatives was further examined by drawing insights from textual discussions found in risk factor disclosures in item 1A of Form 10-K filings. My primary objective was to identify narratives in which firms assert their CSR efforts aim to alleviate the negative consequences of potential data breaches. However, risk factor disclosures typically focus solely on the risks faced by firms, rarely addressing countermeasures. Thus, inspired by the research of Gwebu et al. (2018) and Akey et al. (2021), I explored the extent to which firms anticipate that a potential data breach will impact their reputation. Akey et al. (2021) proposed that firms engage in CSR after a data breach to rebuild their reputation. Therefore, if a firm expresses concern about reputational damage resulting from potential data breaches, it signals an inclination toward proactive CSR initiatives.

I manually reviewed risk factor disclosures from the top 10 firms with the highest level of cybersecurity risk. Remarkably, all these firms acknowledge the reputational harm caused by potential data breaches. The pertinent narratives are cataloged in Appendix D. For example, Town Sports International Holdings’ fiscal year 2010 filing explicitly states: “Any compromise of our security could harm our reputation or financial condition and, therefore, our business.” These findings underscore a direct link between cybersecurity, reputational concerns, and CSR initiatives.

7. Conclusions

This study investigated how firms employ CSR activities as a precautionary strategy to address increased cybersecurity concerns after the enactment of data breach disclosure laws in the United States. As the laws improve the disclosure of data breach incidents and increase the attention toward cybersecurity, I expect that firms will have stronger incentives to take precautionary actions to mitigate the negative effects of data breaches. The analyses show that following the enactment of data breach disclosure laws, firms with high cybersecurity risk increase their CSR engagement to a greater extent than those with low risk. This improvement is mainly attributed to firms’ proactive efforts to do good rather than a passive approach of avoiding harm. These findings suggest that data breach disclosure laws encourage firms to engage in more precautionary CSR activities. The results are more pronounced for firms that are likely to encounter substantial losses from data breaches and those with fewer financial constraints. The event study analysis confirmed that better CSR performance alleviates the stock price decline surrounding data breach announcements. This study also highlights firms’ concern about the reputational damage resulting from potential data breaches, as elaborated in their risk factor disclosures, thus signaling firms’ inclination to engage in CSR. Collectively, this study demonstrated that the concern for cybersecurity serves as a significant driver force for social responsibility initiatives in this digital age.

In addition to its contribution to academic research, this study offers valuable insights for practitioners and policymakers. First, the findings underscored an additional benefit of strong CSR performance in the face of cybersecurity challenges, offering additional motivation for firms to actively engage in CSR and ESG activities. Second, the results revealed an unintended positive impact of data breach disclosure laws on CSR in the United States. This suggests that the heightened requirements surrounding data breach disclosure not only enhance firms’ operational transparency but also increase the well-being of stakeholders. Consequently, this study supports the argument for strengthening data breach disclosure regulations globally. However, it is important to consider the specific institutional context when exploring this research question in different country settings.

Acknowledgments

I am grateful to Kirstin Becker, Melanie Feldhues, Sumair Hussain, Fatma Jemaa, Bjørn N. Jørgensen, Weizhi Meng, Luc Paugam, Thomas Plenborg, Thomas Poulsen, Dario Pozzoli, Gabriel Priess, Kasper Regenburg, Grazia Santangelo, Ole Vagn Sørensen, Tao Tang, Steen Thomsen, Wenjun Wen, Liandong Zhang, and the participants of the CBS Workshop on Quantitative Approaches to Green Transitions Research, as well as the seminars at Copenhagen Business School and Technical University of Denmark, for their valuable comments. I also acknowledge the financial support from Copenhagen Business School and the National Social Science Foundation of China (#22BJY254). The standard disclaimer applies.

Notes

¹ This information is detailed in the Cost of a Data Breach Report 2023 published by IBM. The report provides an in-depth analysis of data breach costs based on data from over 550 organizations that have experienced such incidents.

² Note that even though I consider data breaches as incidents that can harm firms’ reputations, this does not necessarily imply that data breaches are ethical scandals. This is because data breaches cannot be entirely prevented (Barton, 2015) and are partly influenced by firms’ technological characteristics, such as the use of information technology (Florakis et al., 2022) and the presence of trade secrets (Ettredge et al., 2018; Hughes et al., 2023).

³ Data breach disclosure laws mandate the disclosure of data breach incidents. They are distinct from the cybersecurity disclosure guidance issued by the Securities and Exchange Commission in 2011, which regulates the disclosure of cybersecurity risk factors rather than data breach incidents (Gao et al., 2020; Li et al., 2018).

⁴ Section 4.4 substantiates this claim by examining how IT investments respond to these laws and contrasting CSR initiatives among firms with differing IT investment levels. The results corroborate this argument.

⁵ For additional information, refer to KPMG’s insights on cybersecurity in ESG (https://kpmg.com/xx/en/home/insights/2023/08/cybersecurity-in-esg.html).

⁶ In addition to the year a state enacted a law, Perkins Coie also collected additional detailed information, including penalties, thresholds, and acceptable delay periods. While variations on these exist among states, they are arguably less impactful than the decision to enact the law. Given that all states have adopted these laws, it would be an intriguing area for future research to investigate the influence of these variations.

⁷ A robustness test considered firms’ operational presence and the adoption of the laws in subsidiary states. The results remain robust.

⁸ Specifically, a firm’s disclosure of cybersecurity risk factors in year t was compared with those of all firms experiencing data breaches in year t − 1. The linguistic similarity measure was calculated as the cosine angle between word vectors, and it ranges between 0 and 1.

⁹ Thirty-three states and territories had approved data breach disclosure laws prior to 2007. As a result, while using the period 2007–2018 aligns with the cybersecurity risk measure of Florakis et al. (2022), it substantially loses variation in legislative changes, and the estimated coefficients may not be as trustworthy as the ones in the main results.

¹⁰ An alternative approach is to include year fixed effects as well. However, this can be captured by the year element in state-year fixed effects.

¹¹ Meanwhile, due to the exclusion of fixed effects, the R-squared value decreased from 0.617 in Column 1 to 0.480 and 0.216 in Columns 2 and 3, respectively.

¹² To ensure comparability with other studies, the economic impact was calculated based on a one-standard-deviation change in the independent variable, as some studies did not use a binary independent variable.

¹³ Some other studies mentioned in this paper also addressed the determinants of CSR. However, the methodologies they employed are not directly comparable to this study; therefore, I do not discuss them here. These studies include Godfrey et al. (2009), Lys et al. (2015), El Ghoul et al. (2017), Lins et al. (2017), Liang & Renneboog (2017), and Albuquerque et al. (2019).

¹⁴ The definitions of IT Officerand Tech Committee can be found in Appendix A. Table 2 presents summary statistics for these variables. The information on IT officers and technology committees was collected from ExecuComp and BoardEx, respectively.

¹⁵ In Panel B, even though the coefficient estimates in even columns are greater than those in odd columns in terms of magnitude, the Wald tests are not statistically significant. This could be partially attributed to the relatively small number of observations in firms with IT officers or technology committees. Therefore, these results should be interpreted with caution.

¹⁶ Relatedly, Bamiatzi et al. (2023) showed that CSR mitigates the decrease of firm profitability surrounding breaches.

¹⁷ I used three different asset-pricing models, including the market model, the Fama & French (1993) three-factor (FF3F) model, and the Fama–French–Carhart (Carhart, 1997) four-factor model, to estimate the expected returns. The models’ parameters were estimated using a window of 220 trading days [−280, −61], following the method proposed by Kamiya et al. (2021). The CARs were calculated using the event windows of [−1, +1], [−2, +2], and [−5, +5]. Panel C reports the results based on the event window of [−2, +2], and they are also robust to the event window of [−1, +1] and [−5, +5].

Appendix A. Variable Definitions

Table A.1.

Variable	Definition
Social responsibility initiatives
Net CSR	Net CSR score, measured as CSR Strengths minus CSR Concerns, following Deng et al. (2013), Servaes & Tamayo (2013), and Albuquerque et al. (2019)
CSR Strengths	The number of strengths in the six categories of CSR, divided by the maximum possible number of strengths in the six categories of CSR
CSR Concerns	The number of concerns in the six categories of CSR, divided by the maximum possible number of concerns in the six categories of CSR
Each category of CSR
Community	The scaled number of strengths minus the scaled number of concerns in the community category of CSR
Diversity	The scaled number of strengths minus the scaled number of concerns in the diversity category of CSR
Employee Relations	The scaled number of strengths minus the scaled number of concerns in the employee relations category of CSR
Environmental Performance	The scaled number of strengths minus the scaled number of concerns in the environmental performance category of CSR
Human Rights	The scaled number of strengths minus the scaled number of concerns in the human rights category of CSR
Product	The scaled number of strengths minus the scaled number of concerns in the product category of CSR
Alternative measures of CSR
ES Score	The average of the environmental pillar score and social pillar score in the Refinitiv Asset4 ESG database
Environmental	The environmental pillar score in the Refinitiv Asset4 ESG database
Social	The social pillar score in the Refinitiv Asset4 ESG database
Data breach disclosure laws and cybersecurity risk
Disc Law	Indicator that takes the value 1 if a data breach disclosure law had been adopted in a state in a year, 0 otherwise, following Boasiako & Keefe (2021) and Ashraf & Sunder (2023)
Cybersecurity Risk	Indicator that signifies a high-level firm-specific cybersecurity risk
Cybersecurity Risk (Continuous)	The continuous measure of firm-specific cybersecurity risk derived from Florakis et al. (2022)
Control variables
Size	Natural logarithm of lagged total assets
Leverage	Long-term debt divided by total assets
Profitability	Pretax income divided by lagged total assets
Market to Book	Market value of common equity divided by book value of common equity
Cash Holding	Cash and cash equivalent divided by lagged total assets
PPE	Net property, plant, and equipment divided by lagged total assets
Intangible Assets	Intangible assets divided by lagged total assets
Sales Growth	Change of sales revenue divided by lagged sales revenue
Variables for cross-sectional analyses
Profit Margin	Income before extraordinary items scaled by sales revenue, following Huang et al. (2017)
R&D Intensity	R&D expenses scaled by sales revenue, following Ellis et al. (2012)
Kaplan–Zingales Index	Kaplan & Zingales (1997) Index, with the coefficients from Lamont et al. (2001)
Size–Age Index	Size−age index developed by Hadlock & Pierce (2010)
IT Officer	Indicator that a firm employs a chief information officer, chief security officer, chief technology officer, or other high-rank executives with related responsibilities, following Banker & Feng (2019), Huang & Wang (2021), and Ashraf & Sunder (2023)
Tech Committee	Indictor for the presence of a board-level technology committee within a firm, following Higgs et al. (2016)

Appendix B. Univariate Analysis

Table B.1.

	Pre	Post	Difference (Post−Pre)	Difference-in-Differences
Low Cybersecurity Risk	$- 0.014$	0.015	0.029***
			(12.809)
				0.026***
High Cybersecurity Risk	0.008	0.063	0.055***	(6.77 )
			(18.155)

Notes: This table presents a univariate analysis examining the impact of data breach disclosure laws on CSR initiatives. It first shows the change in CSR before and after the approval of these laws in groups with low and high levels of cybersecurity risk, and then compares the difference between groups. *** indicates statistical significance at the 1% level.

Appendix C. Comparing the Economic Magnitudes in Prior Studies

Table C.1.

	Independent Variable	SD	Coefficient	SD of DV	Magnitude
This paper	Disc Law× Cybersecurity Risk	0.486	0.026	0.124	10.19%
Xu & Kim (2022)	Text FC	0.200	0.221	5.844	0.76%
Dyck et al. (2019)	Total IO	0.168	0.124	2.603 (LnSoc)	0.80%
			0.268	3.006 (LnEnv)	1.50%
Hong et al. (2012)	KZ Score	1.240	$- 0.112$	2.42	5.74%
Sun & Gunia (2018)	RE Value	0.613	$- 0.345$	2.241	9.44%
Kacperczyk (2009)	Takeover Protection	0.357	0.507	0.459	39.43%

Notes: This table assesses the economic significance of regression coefficients by comparing them with prior studies. Economic magnitude is calculated as the absolute value of the regression coefficient multiplied by the standard deviation of the independent variable divided by the standard deviation of the dependent variable.

Appendix D. Firms’ Concern about the Reputational Impact of Data Breaches

Table D.1.

Filings	Narratives
Town Sports International Holdings (2010)	Any compromise of our security could harm our *reputation* or financial condition and, therefore, our business; We may become subject to litigation or administrative sanctions, which could result in significant fines, penalties or damages and harm to our *reputation*
Stamps.com Inc. (2010)	Any breach of these security measures would severely impact our business and *reputation* and would likely result in the loss of customers and revenues; Should someone circumvent our security measures, our *reputation*, business, financial condition, and results of operations could be seriously harmed
Walgreens Boots Alliance, Inc. (2018)	Cybersecurity and other information technology security risks...could attract a substantial amount of media attention, damage our customer relationships and *reputation*; Confidential information being accessed, obtained, damaged…could harm our *reputation* and expose us to regulatory actions; Our *reputation* could be damaged and we could be subject to additional litigation; Any such breach or unauthorized access could result in significant legal and financial exposure, damage to our *reputation*
Dexcom, Inc. (2017)	Any such access, disclosure or other loss of information could… damage our *reputation; The occurrence of any of these events could result in… (v)* *reputational* damage and (vi) foreign, federal and state governmental inquiries, any of which could have a material, adverse effect on our financial position and results of operations and harm our business *reputation*
OpenTable, Inc. (2010)	Any such compromise of our security could damage our *reputation* and brand, result in a violation of applicable privacy and other laws; A party that is able to circumvent our security measures or those of our third-party service providers could misappropriate proprietary information…or otherwise damage our *reputation* and business
Comtech Telecom (2016)	A security breach or other significant disruption…damage our *reputation* with our customers; A security breach or inappropriate disclosure of personal, private or confidential information could harm our *reputation* and our relationships with current and potential customers and end users
Evoqua Water Technologies Corp. (2018)	Possible impacts associated with a cybersecurity incident may include…litigation and *reputational* damage; We could potentially be subject to…regulatory enforcement actions and/or damage to our *reputation*; Any theft, loss and/or fraudulent use of customer, employee or proprietary data as a result of a cyber attack could… adversely impact our *reputation* with customers; A significant data security breach may result in… negative publicity resulting in *reputation* or brand damage with customers
WEX Inc. (2017)	We may not be able to adequately protect our information systems… subject us to liability and damage our *reputation; Any actual or perceived breach of our security could…materially harm our* *reputation* and brand; Incidents involving our handling of this protected and sensitive information…may damage our *reputation*; Any security breach…could expose us to…litigation, regulatory scrutiny, and/or cause damage to our *reputation*
IDT Corporation (2016)	Network disruptions, security breaches and other significant failures…damage our *reputation* among our customers and the public generally
GoDaddy Inc. (2017)	Any actual or perceived breach of our security, or any other data security incident, could damage our *reputation* and brand; If a breach of our security or other data security incident occurs or is perceived to have occurred…our *reputation* could be harmed; Any failure or perceived failure by us to comply with U.S., E.U. or other foreign privacy or security laws…could cause our customers to lose trust in us, which could have an adverse effect on our *reputation* and business; Our failure to limit fraudulent transactions conducted on our websites…could also subject us to liability and adversely impact our *reputation; Our* *reputation* may be harmed if our partners fail to protect our customers’ information

ORCID

Yanlei Zhang https://orcid.org/0000-0003-1580-4813

References

Akey, P., Lewellen, S., Liskovich, I., & Schiller, C. (2021). Hacking corporate reputations. Rotman School of Management Working Paper. Google Scholar
Albuquerque, R., Koskinen, Y., & Zhang, C. [2019] Corporate social responsibility and firm risk: Theory and empirical evidence. Management Science, 65(10), 4451–4469. https://doi.org/10.1287/mnsc.2018.3043 Crossref, Google Scholar
Amir, E., Levi, S., & Livne, T. [2018] Do firms underreport information on cyber-attacks? Evidence from capital markets. Review of Accounting Studies, 23(3), 1177–1206. https://doi.org/10.1007/s11142-018-9452-4 Crossref, Google Scholar
André, P., Filip, A., & Moldovan, R. [2016] Segment disclosure quantity and quality under IFRS 8: Determinants and the effect on financial analysts’ earnings forecast errors. The International Journal of Accounting, 51(4), 443–461. https://doi.org/10.1016/j.intacc.2016.10.008 Crossref, Google Scholar
Ashraf, M., & Sunder, J. [2023] Can shareholders benefit from consumer protection disclosure mandates? Evidence from data breach disclosure laws. The Accounting Review, 98(4), 1–32. https://doi.org/10.2308/TAR-2020-0787 Crossref, Google Scholar
Baiyere, A., Salmela, H., & Tapanainen, T. [2020] Digital transformation and the new logics of business process management. European Journal of Information Systems, 29(3), 238–259. https://doi.org/10.1080/0960085X.2020.1718007 Crossref, Google Scholar
Baker, A., Larcker, D. F., & Wang, C. C. [2022] How much should we trust staggered difference-in-differences estimate? Journal of Financial Economics, 144(2), 370–395. https://doi.org/10.1016/j.jfineco.2022.01.004 Crossref, Google Scholar
Bamiatzi, V., Dowling, M., Gogolin, F., Kearney, F., & Vigne, S. [2023] Are the good spared? Corporate social responsibility as insurance against cyber security incidents. Risk Analysis, 43(12), 2503–2518. https://doi.org/10.1111/risa.14122 Crossref, Google Scholar
Banker, R. D., & Feng, C. [2019] The impact of information security breach incidents on CIO turnover. Journal of Information Systems, 33(3), 309–329. https://doi.org/10.2308/isys-52532 Crossref, Google Scholar
Barton, D. (2015, March 10). When will your data breach happen? Not a question of if but when. Security Infowatch. https://www.securityinfowatch.com/cybersecurity/information-security/article/12052877/preparing-for-your-companys-inevitable-data-breach Google Scholar
Bartov, E., Marra, A., & Momenté, F. [2021] Corporate social responsibility and the market reaction to negative events: Evidence from inadvertent and fraudulent restatement announcements. The Accounting Review, 96(2), 81–106. https://doi.org/10.2308/tar-2018-0281 Crossref, Google Scholar
Bertrand, M., & Mullainathan, S. [2003] Enjoying the quiet life? Corporate governance and managerial preferences. Journal of Political Economy, 111(5), 1043–1075. https://doi.org/10.1086/376950 Crossref, Google Scholar
Boasiako, K. A., & Keefe, M. O. [2021] Data breaches and corporate liquidity management. European Financial Management, 27(3), 528–551. https://doi.org/10.1111/eufm.12289 Crossref, Google Scholar
Carhart, M. M. [1997] On persistence in mutual fund performance. The Journal of Finance, 52(1), 57–82. https://doi.org/10.1111/j.1540-6261.1997.tb03808.x Crossref, Google Scholar
Cavusoglu, H., Mishra, B., & Raghunathan, S. [2004] The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1), 70–104. https://doi.org/10.1080/10864415.2004.11044320 Crossref, Google Scholar
Cengiz, D., Dube, A., Lindner, A., & Zipperer, B. [2019] The effect of minimum wages on low-wage jobs. The Quarterly Journal of Economics, 134(3), 1405–1454. https://doi.org/10.1093/qje/qjz014 Crossref, Google Scholar
Christensen, D. M., Serafeim, G., & Sikochi, A. [2022] Why is corporate virtue in the eye of the beholder? The case of ESG ratings. The Accounting Review, 97(1), 147–175. https://doi.org/10.2308/TAR-2019-0506 Crossref, Google Scholar
Deng, X., Kang, J., & Low, B. S. [2013] Corporate social responsibility and stakeholder value maximization: Evidence from mergers. Journal of Financial Economics, 110(1), 87–109. https://doi.org/10.1016/j.jfineco.2013.04.014 Crossref, Google Scholar
Dewett, T., & Jones, G. R. [2001] The role of information technology in the organization: A review, model, and assessment. Journal of Management, 27(3), 313–346. https://doi.org/10.1016/S0149-2063(01)00094-0 Crossref, Google Scholar
Dyck, A., Lins, K. V., Roth, L., & Wagner, H. F. [2019] Do institutional investors drive corporate social responsibility? International evidence. Journal of Financial Economics, 131(3), 693–714. https://doi.org/10.1016/j.jfineco.2018.08.013 Crossref, Google Scholar
El Ghoul, S., Guedhami, O., & Kim, Y. [2017] Country-level institutions, firm value, and the role of corporate social responsibility initiatives. Journal of International Business Studies, 48(3), 360–385. https://doi.org/10.1057/jibs.2016.4 Crossref, Google Scholar
Ellis, J. A., Fee, C. E., & Thomas, S. E. [2012] Proprietary costs and the disclosure of information about customers. Journal of Accounting Research, 50(3), 685–727. https://doi.org/10.1111/j.1475-679X.2012.00441.x Crossref, Google Scholar
Ettredge, M., Guo, F., & Li, Y. [2018] Trade secrets and cyber security breaches. Journal of Accounting and Public Policy, 37(6), 564–585. https://doi.org/10.1016/j.jaccpubpol.2018.10.006 Crossref, Google Scholar
Fama, E. F., & French, K. R. [1993] Common risk factors in the returns on stocks and bonds. Journal of Financial Economics, 33(1), 3–56. https://doi.org/10.1016/0304-405X(93)90023-5 Crossref, Google Scholar
Feng, Z., Wang, M., & Huang, H. [2015] Equity financing and social responsibility: Further international evidence. The International Journal of Accounting, 50(3), 247–280. https://doi.org/10.1016/j.intacc.2015.07.005 Crossref, Google Scholar
Florakis, C., Louca, C., Michaely, R., & Weber, M. [2022] Cybersecurity risk. The Review of Financial Studies, 36, 351–407. https://doi.org/10.1093/rfs/hhac024 Crossref, Google Scholar
Gao, L., Calderon, T. G., & Tang, F. [2020] Public companies’ cybersecurity risk disclosures. International Journal of Accounting Information Systems, 38, 100468. https://doi.org/10.1016/j.accinf.2020.100468 Crossref, Google Scholar
Garg, P. [2020] Cybersecurity breaches and cash holdings: Spillover effect. Financial Management, 49(2), 219–503. https://doi.org/10.1111/fima.12274 Crossref, Google Scholar
Godfrey, P. C. [2005] The relationship between corporate philanthropy and shareholder wealth: A risk management perspective. Academy of Management Review, 30(4), 777–798. https://doi.org/10.5465/amr.2005.18378878 Crossref, Google Scholar
Godfrey, P. C., Merrill, C. B., & Hansen, J. M. [2009] The relationship between corporate social responsibility and shareholder value: An empirical test of the risk management hypothesis. Strategic Management Journal, 30(4), 425–445. https://doi.org/10.1002/smj.750 Crossref, Google Scholar
Gwebu, K. L., Wang, J., & Wang, L. [2018] The role of corporate reputation and crisis response strategies in data breach management. Journal of Management Information Systems, 35(2), 683–714. https://doi.org/10.1080/07421222.2018.1451962 Crossref, Google Scholar
Hadlock, C. J., & Pierce, J. R. [2010] New evidence on measuring financial constraints: Moving beyond the KZ index. The Review of Financial Studies, 23(5), 1909–1940. https://doi.org/10.1093/rfs/hhq009 Crossref, Google Scholar
Higgs, J. L., Pinsker, R. E., Smith, T. J., & Young, G. R. [2016] The relationship between board-level technology committees and reported security breaches. Journal of Information Systems, 30(3), 79–98. https://doi.org/10.2308/isys-51402 Crossref, Google Scholar
Hoberg, G., & Phillips, G. [2010] Product market synergies and competition in mergers and acquisitions: A text-based analysis. The Review of Financial Studies, 23(10), 3773–3811. https://doi.org/10.1093/rfs/hhq053 Crossref, Google Scholar
Hoberg, G., Phillips, G., & Prabhala, N. [2014] Product market threats, payouts, and financial flexibility. The Journal of Finance, 69(1), 293–324. https://doi.org/10.1111/jofi.12050 Crossref, Google Scholar
Hong, H., Kubik, J. D., & Scheinkman, J. A. (2012). Financial constraints on corporate goodness. NBER Working Paper 18476. Google Scholar
Huang, H. H., & Wang, C. [2021] Do banks price firms’ data breaches? The Accounting Review, 96(3), 261–286. https://doi.org/10.2308/TAR-2018-0643 Crossref, Google Scholar
Huang, Y., Jennings, R., & Yu, Y. [2017] Product market competition and managerial disclosure of earnings forecasts: Evidence from import tariff rate reductions. The Accounting Review, 92(3), 185–207. https://doi.org/10.2308/accr-51558 Crossref, Google Scholar
Hughes, H., Smith, T. J., & Walton, S. [2023] Material contract redactions and cybersecurity breaches. Accounting Horizons, 37(3), 193–219. https://doi.org/10.2308/HORIZONS-2020-166 Crossref, Google Scholar
Hui, K., Vance, A., & Zhdanov, D. (2016, May 27). Securing digital assets. MIS Quarterly Research Curations. https://www.misqresearchcurations.org/blog/2017/5/10/securing-digital-assets-1 Google Scholar
Ioannou, I., & Serafeim, G. [2015] The impact of corporate social responsibility on investment recommendations: Analysts’ perceptions and shifting institutional logics. Strategic Management Journal, 36(7), 1053–1081. https://doi.org/10.1002/smj.2268 Crossref, Google Scholar
Iyer, S. R., Simkins, B. J., & Wang, H. [2020] Cyberattacks and impact on bond valuation. Finance Research Letters, 33, 101215. https://doi.org/10.1016/j.frl.2019.06.013 Crossref, Google Scholar
Jia, Y., Gao, X., & Julian, S. [2020] Do firms use corporate social responsibility to insure against stock price risk? Evidence from a natural experiment. Strategic Management Journal, 41(2), 290–307. https://doi.org/10.1002/smj.3107 Crossref, Google Scholar
Jiao, Y. [2010] Stakeholder welfare and firm value. Journal of Banking & Finance, 34(10), 2549–2561. https://doi.org/10.1016/j.jbankfin.2010.04.013 Crossref, Google Scholar
Kacperczyk, A. [2009] With greater power comes greater responsibility? Takeover protection and corporate attention to stakeholders. Strategic Management Journal, 30(3), 261–285. https://doi.org/10.1002/smj.733 Crossref, Google Scholar
Kamiya, S., Kang, J., Kim, J., Milidonis, A., & Stulz, R. M. [2021] Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics, 139(3), 719–749. https://doi.org/10.1016/j.jfineco.2019.05.019 Crossref, Google Scholar
Kaplan, S. N., & Zingales, L. [1997] Do investment-cash flow sensitivities provide useful measures of financing constraints? The Quarterly Journal of Economics, 112(1), 169–215. https://doi.org/10.1162/003355397555163 Crossref, Google Scholar
Koh, P. S., Qian, C., & Wang, H. [2014] Firm litigation risk and the insurance value of corporate social performance. Strategic Management Journal, 35(10), 1464–1482. https://doi.org/10.1002/smj.2171 Crossref, Google Scholar
Lamont, O., Polk, C., & Saá-Requejo, J. [2001] Financial constraints and stock returns. The Review of Financial Studies, 14(2), 529–554. https://doi.org/10.1093/rfs/14.2.529 Crossref, Google Scholar
Levine, R., Lin, C., & Xie, W. [2018] Corporate resilience to banking crises: The roles of trust and trade credit. Journal of Financial and Quantitative Analysis, 53(4), 1441–1477. https://doi.org/10.1017/S0022109018000224 Crossref, Google Scholar
Li, H., No, W. G., & Boritz, J. E. [2020] Are external auditors concerned about cyber incidents? Evidence from audit fees. Auditing: A Journal of Practice and Theory, 39(1), 151–171. https://doi.org/10.2308/ajpt-52593 Crossref, Google Scholar
Li, H., No, W. G., & Wang, T. [2018] SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. International Journal of Accounting Information Systems, 30, 40–55. https://doi.org/10.1016/j.accinf.2018.06.003 Crossref, Google Scholar
Liang, H., & Renneboog, L. [2017] On the foundations of corporate social responsibility. The Journal of Finance, 72(2), 853–910. https://doi.org/10.1111/jofi.12487 Crossref, Google Scholar
Lins, K. V., Servaes, H., & Tamayo, A. [2017] Social capital, trust, and firm performance: The value of corporate social responsibility during the financial crisis. The Journal of Finance, 72(4), 1785–1824. https://doi.org/10.1111/jofi.12505 Crossref, Google Scholar
Loebbecke, C., & Picot, A. [2015] Reflections on societal and business model transformation arising from digitization and big data analytics: A research agenda. The Journal of Strategic Information Systems, 24(3), 149–157. https://doi.org/10.1016/j.jsis.2015.08.002 Crossref, Google Scholar
Luo, J., Kaul, A., & Seo, H. [2018] Winning us with trifles: Adverse selection in the use of philanthropy as insurance. Strategic Management Journal, 39(10), 2591–2617. https://doi.org/10.1002/smj.2935 Crossref, Google Scholar
Lys, T., Naughton, J. P., & Wang, C. [2015] Signaling through corporate accountability reporting. Journal of Accounting and Economics, 60(1), 56–72. https://doi.org/10.1016/j.jacceco.2015.03.001 Crossref, Google Scholar
Muehlenbachs, L., Spiller, E., & Timmins, C. [2015] The housing market impacts of shale gas development. American Economic Review, 105(12), 3633–3659. http://dx.doi.org/10.1257/aer.20140079 Crossref, Google Scholar
Nolan, R., & McFarlan, F. W. [2005] Information technology and the board of directors. Harvard Business Review, 83(10), 96–106. Google Scholar
Perkins Coie. (2020). Security breach notification chart. https://perkinscoie.com/insights/publication/security-breach-notification-chart. Google Scholar
Radhakrishnan, S., Tsang, A., & Liu, R. [2018] A corporate social responsibility framework for accounting research. The International Journal of Accounting, 53(4), 274–294. https://doi.org/10.1016/j.intacc.2018.11.002 Crossref, Google Scholar
Romanosky, S. [2016] Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2(2), 121–135. https://doi.org/10.1093/cybsec/tyw001 Google Scholar
Romanosky, S., Hoffman, D., & Acquisti, A. [2014] Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1), 74–104. https://doi.org/10.1111/jels.12035 Crossref, Google Scholar
Rosati, P., Gogolin, F., & Lynn, T. [2019] Audit firm assessments of cyber-security risk: evidence from audit fees and SEC comment letters. The International Journal of Accounting, 54(3), 1950013. https://doi.org/10.1142/S1094406 019500136 Link, Google Scholar
Servaes, H., & Tamayo, A. [2013] The impact of corporate social responsibility on firm value: The role of customer awareness. Management Science, 59(5), 1045–1061. https://doi.org/10.1287/mnsc.1120.1630 Crossref, Google Scholar
Shiu, Y. M., & Yang, S. L. [2017] Does engagement in corporate social responsibility provide strategic insurance-like effects? Strategic Management Journal, 38(2), 455–470. https://doi.org/10.1002/smj.2494 Crossref, Google Scholar
Sun, X., & Gunia, B. C. [2018] Economic resources and corporate social responsibility. Journal of Corporate Finance, 51, 332–351. https://doi.org/10.1016/j.jcorpfin.2018.06.009 Crossref, Google Scholar
Tanriverdi, H., & Du, K. [2020] Corporate strategy changes and information technology control effectiveness in multibusiness firms. MIS Quarterly, 44(4), 1573–1617. https://doi.org/10.25300/misq/2020/14223 Crossref, Google Scholar
Verhoef, P. C., Broekhuizen, T., Bart, Y., Bhattacharya, A., Dong, J. Q., Fabian, N., & Haenlein, M. [2021] Digital transformation: A multidisciplinary reflection and research agenda. Journal of Business Research, 122, 889–901. https://doi.org/10.1016/j.jbusres.2019.09.022 Crossref, Google Scholar
Verizon. (2020, May 19). The Verizon 2020 data breach investigations report. Verizon. https://www.verizon.com/about/news/verizon-2020-data-breach-investigations-report Google Scholar
Xu, Q., & Kim, T. [2022] Financial constraints and corporate environmental policies. The Review of Financial Studies, 35(2), 576–635. https://doi.org/10.1093/rfs/hhab056 Crossref, Google Scholar
Zhang, Y., García Lara, J. M., & Tribó, J. A. [2020] Unpacking the black box of trade credit to socially responsible customers. Journal of Banking & Finance, 119, 105908. https://doi.org/10.1016/j.jbankfin.2020.105908 Crossref, Google Scholar

Online Ready

Metrics

Downloaded 92 times

History

Published: 12 December 2024

Keywords

PDF download

System Upgrade on Tue, May 28th, 2024 at 2am (EDT)