SSRN

Koutroumpis, Pantelis and Ravasan, Farshad and Tarannum, Taheya

Data breaches account for a significant share of cyber attacks. While they severely impact customers, who lose valuable personal data, they often have a limited effect on the operations of data holding companies. This might lead firms to underinvest in cybersecurity. Does stronger data protection alleviate the effects of these misaligned incentives? We address this question by examining the link between firms' cybersecurity hirings and stronger data protection laws and enforcement. We study two institutional changes that affect the data protection enforcement by the Information Commissioner's Office (ICO) in the UK. The first is the removal of the requirement to prove substantial damage and distress in 2015 that gives greater discretion to the ICO to issue monetary penalties. The second is the enactment of the Data Protection Act 2018, which significantly raises the ceiling of monetary penalties. To examine the effects of these legal changes, we assemble a novel dataset from ICO activity logs that entails more than 5,000 supervisory actions. We construct an index for exposure to ICO enforcement at the three-digit industry level. Combining the sectoral variation with the timing of the legal changes, our paper produces two novel insights. First, we evaluate the effectiveness of two policy instruments, namely frequent monetary penalties and mega-fines. We find that both instruments are effective in increasing investment in cyber skills. While the impact of mega-fines is substantially stronger, it is less homogeneous across firms with different cash balances, ages, and digital technology profiles. Second, despite the effectiveness of stronger data protection laws and enforcement, they have a negative impact on firm dynamics, reducing the entry rate up to 1.4 percentage points and increasing the exit rate by up to 0.9 percentage points.