Apologize or Justify? Examining the Impact of Data Breach Response Actions on Stock Value of Affected Companies?

As cybersecurity incidents increase and become more potent, affected companies must react. This is especially relevant for data breaches, where companies are legally required to notify those affected. Hence, it can be assumed that data breaches invariably cause damage through disappointed customers and dissatisfied investors. By applying response actions of a response strategy in a data breach announcement, a company can mitigate these consequences. However, the literature reveals an inconsistent landscape regarding the effect of response actions on customers or investors. Using an event study, we show that the response actions impact a company's stock value and that this impact does not necessarily match the impact on the customer. We code the real-world response actions to data breaches, examining their impact on investor behavior using stock value. The results show that data breaches involving customer data have a negative impact on stock value. In addition, an apology for a data breach has been found to have harmful effects on investor behavior. Whereas justifying the data breach has no or a positive impact. These results add to the investor-focused literature on data breaches, showing that an impact on stock value can emerge from response actions. The literature on data breaches can be informed by the fact that not just is the customer perspective important, but also reactions from other affected groups should be included in formulating a response strategy. The paper also provides practical implications, showing how companies can improve their response strategies based on the results.