Understanding Changes in Individual and Firm Behavior in Response to Security and Privacy Factors

Abstract

We investigate consumer and firm responses to information privacy and security factors across three unique essays. The first essay uses three experiments across two different populations (college students and Amazon Mechanical Turk workers) to capture consumer valuations for an information disclosure. Each experiment manipulates characteristics of a required privacy disclosure by altering the information context, intended secondary use of the disclosed private information, and the requirement to disclose personally identifiable information. Across the three experiments, we consistently observe null effects for each of the privacy factors with the exception of two population dependent exceptions. Our participants do acknowledge the increased risk introduced by the experimental factors and the increased saliency and awareness from experiments two and three lead to higher privacy valuations on average. However, there is no consistent manifestation as signification main effects for the three privacy factors. The second essay analyzes firms experiencing multiple data breaches and determines which policies in data breach notification laws are effective deterrents. The results from estimating a parametric hazard model indicate that allowing the individual responsible for maliciously breaching a firm’s data and requiring firms disclose breach information to a state attorney general deter firms from subsequent breaches. We also find that states that do not require breach notification when consumers are unlikely to be harmed see an increase in risk of future breach. Additionally, we investigate the relationship between industry type and breach type as well as prior breach type and subsequent breach type. Our results suggest that government agencies are more likely to have an internal breach, educational institutions are more likely to experience system hacking, and retail businesses are more susceptible to employee related breaches. The relationship between prior and subsequent breach types indicates that firms are more likely to experience future data breaches of the same type. The third essay focuses on data breaches within hospitals by studying the effect of breaches on patient outcomes through changes in process of care. We merge several sources of data to create a unique panel data set containing information on hospitals’ healthcare information technology characteristics, process of care measures, meaningful use attestation, and data breach experience. Estimating a 2SLS fixed effect panel data model provides that experiencing a data breach leads to improvements in process of care. Meaningful use attestation, on the other hand, reduces the process of care for common medical conditions. We also find that improving the process of care for medical conditions leads to better patient outcomes for those conditions. Thus, our findings demonstrate that through influencing the process of care a data breach improves patient outcomes while achieving meaningful use worsens patient outcomes. The combination of these three essays offers a unique perspective into how consumers and firms perceive information privacy and security. Ultimately, consumers and firms demonstrate that information privacy and security is not a priority unless proper incentive mechanisms and adequate information are present.