A Preemptive and Curative Solution to Mitigate Data Breaches: Corporate Social Responsibility as a Double Layer of Protection

The worldwide surge in corporate data breaches has reached epidemic proportions. In 2020 alone, over 37 billion confidential records were compromised in 4,396 publicly reported breaches (RBS 2022), the highest number since 2005. It is common for data breaches to involve sensitive consumer information like social security numbers, medical history, and information about insurance, banking, or finances (Identity Theft Resource Center 2023) and to have enormous financial implications for firms, with the average cost per incident in the United States exceeding $9.05 million (IBM Security 2021). Other grave repercussions include damaging consumer and supplier relationships, injuring employee morale, causing price increases, and disrupting marketing investments (IBM 2022; Schlackl, Link, and Hoehle 2022). For example, in 2017, when Verizon was negotiating to acquire Yahoo, the latter experienced a massive data breach (3 billion accounts; Womack 2017) that delayed the deal and caused a $925 million reduction in the sale price. Likewise, in 2019 Capital One endured a data breach whose final cost was estimated to fall in the range of $100 million–$150 million (Smith 2019).

To date, scholarship has largely focused either on identifying information technology (IT) factors that prevent data breaches (e.g., IT security [Sen and Borle 2015]; technological processes [McLeod and Dolezel 2018]) or on examining specific postbreach recovery tactics aimed at consumers, such as compensation and apology (Goode et al. 2017; Rasoulian et al. 2017). This research has produced useful insights, yet it is surprising that none has examined ways to simultaneously prevent and recover from data breaches, which are closely connected phenomena and justify the exploration of potential firm-level strategies to address both. Such a strategy would allow firms to better allocate their spending, leading them to become more secure (Li, Larimo, and Leonidou 2021, p. 64) and more capable both of protecting their marketing investments and of attenuating other adverse consequences (American Marketing Association 2022).

Drawing on stakeholder theory (Freeman 1984), which posits that firms must consider the interests of all stakeholders, including owners, employees, customers, and communities, we argue that corporate social responsibility (CSR) offers a double layer of protection by helping firms prevent and recover from data breaches. Along similar lines as the single article of which we are aware that examines CSR's impact on data breaches (i.e., prevention; D’Arcy et al. 2020), we distinguish types of CSR in our theorizing, separately contemplating activities that focus on primary stakeholders such as employees and customers, which we label “internal,” or on secondary stakeholders such as local communities, which we label “external.” This approach allows us to accommodate CSR's multifaceted structure (Hawn and Ioannou 2016) and document different effects on preventing and recovering from data breaches. We also investigate what level of CSR is most effective, which jointly yields insights to suggest the level of CSR investment firms should prioritize given their own strategic position and managerial goals.

Next, we review the literature and advance several hypotheses (Figure 1). We propose that because it is directed at primary stakeholders and entails more credible investments in processes and prioritizing consumer and employee satisfaction, internal CSR is generally more effective than external CSR in preventing (H_1a) and recovering from (H_2a) data breaches. We also argue in favor of important asymmetric effects. First, we suggest (H_1b) that compared with firms with inferior internal CSR, firms with moderate and high internal CSR will be breached at similarly lower levels due to comparable effects on demotivating intruders. Second, we argue (H_2b) that only firms with superior internal CSR have the requisite managerial and operational excellence to recover from data breaches in a way that surpasses market expectations, thereby propping up their postbreach financial performance.

OPEN IN VIEWER

Figure 1.

General Theoretical Model.

In Study 1 we conduct an econometric analysis using 14 years of data on CSR, data breaches, and financial information of public U.S. firms. The results show that external CSR has no prophylactic effect but that compared with low levels of internal CSR, moderate and high levels of internal CSR are equally effective at thwarting data breaches. Study 2 assesses CSR's mitigation of negative financial impact following a data breach by examining (1) short-term effects (in the form of an event study on cumulative abnormal returns) and (2) long-term effects (with time-series analysis of Tobin's q). The results suggest that superior levels of internal CSR are associated with strong recoveries over time, whereas the positive effect of external CSR is short-lived. We also conduct several posttests to probe the dynamics behind these effects.

The article makes several contributions. First, research on data breaches has largely focused on tactics that address either prevention or recovery. In contrast, we investigate a firm-level strategy that simultaneously addresses both, a point of view that captures their intrinsically linked nature and that is capable of assisting firms in making investment decisions around this critical issue. This strategic perspective also reflects the nature of data breaches whose impact goes “beyond the IT department and involve[s] management and non-IT employees” with consequences extending to corporate reputation and company stock price (Schlackl, Link, and Hoehle 2022, p. 1). Second, by contemplating different types of CSR, we are able to uncover novel asymmetric effects that would be obscured if we took a global view of CSR (D’Arcy et al. 2020). For example, Study 1 reveals that a global measure of CSR helps prevent data breaches, but further examination reveals that this effect is driven by internal CSR only. Likewise, as Studies 2a and 2b demonstrate, using a global approach would make it difficult to justify investing in CSR to recover from data breaches because an aggregate measure of CSR hardly impacts short- and long-term recoveries. Extrapolating from these results, one might falsely conclude that CSR offers no more than a tepid strategy to counter the threat of data breaches. But because we distinguish between CSR aimed at primary versus secondary stakeholders, we show their differential effects and identify domains of effectiveness. For example, in line with our theorizing, our results show that beyond moderate levels of internal CSR, there are diminishing returns in preventing data breaches, and that superior recoveries are exclusively associated with high levels of internal CSR. This pattern of results lends considerable nuance to the discussion of whether and to what extent to invest in CSR as an offset to the threat posed by data breaches. Third, our posttests provide useful supplementary information. For example, they (1) show that internal CSR reduces the likelihood of data breaches by bad actors both inside and outside the firm and (2) reinforce the notion that satisfied employees are an indispensable component in avoiding data breaches (Liang, Biros, and Luse 2016). Another (3) suggests that consumers endorse the idea that a “halo effect” of external CSR will prevent data breaches, a belief that is not supported by the behavioral data in Study 1 and that underscores the need for scholarship on data breaches that goes beyond perceptions of data security (Martin, Borah, and Palmatier 2017).

Theoretical Background

Data Breach

A data breach is an electronically mediated service failure that occurs when sensitive organizational or customer data is accessed by unauthorized parties (Goode et al. 2017). Data breaches have various sources—malicious attacks, employee misconduct, mishandling, or property loss (Kwon and Johnson 2018)—and tend to have consumer and corporate ramifications such as reputational, monetary, and psychological losses for victims (e.g., identity theft, fraud; Rasoulian et al. 2023), reduced consumer shopping intentions and loyalty (Chakraborty et al. 2016; Janakiraman, Lim, and Rishika 2018), financial costs such as regulatory fines and legal expenses (Carfagno 2019), and a deterioration of firms’ market and stock performance (e.g., Ko and Dorantes 2006; Malhotra and Malhotra 2011). To minimize such harm, it is important to understand how to prevent data breaches and recover effectively in their aftermath.

Existing research on data breaches has developed along two trajectories. In relation to prevention, research primarily concentrates on technical and tactical considerations such as IT investment and digitalization (Kwon and Johnson 2018; Sen and Borle 2015) or organizational characteristics such as industry size, firm age, and IT expertise (Angst et al. 2017; McLeod and Dolezel 2018). In relation to recovery, research likewise centers on specific techniques. For example, scholars have examined compensation as a remediation tactic (Goode et al. 2017) and the effectiveness of different forms of recovery (e.g., apology vs. process improvement [Rasoulian et al. 2017]; accommodation vs. defense [Gwebu, Wang, and Wang 2018]).

More recently, scholars have begun to recognize the importance of understanding what strategic, firm-level factors shape data security outcomes. For example, Martin, Borah, and Palmatier (2017) investigate firms’ privacy management practices of customer information and show that empowering customers through transparency (i.e., does the customer know what information about them is being shared?) and control (i.e., does the customer believe they can influence the flow of this information?) make it less likely customers will believe their data are vulnerable. Similarly, building on work showing that CSR investments can shield firms from the risks presented by health, safety, and integrity crises (Godfrey, Merrill, and Hansen 2009), D’Arcy et al. (2020) focus on firm-level corporate social performance as a predictor of data breaches, with results suggesting that a disingenuous commitment to peripheral endeavors (e.g., philanthropy, recycling programs) makes firms more attractive targets for exploitation. However, what is thus far absent from the literature is research simultaneously examining prevention and recovery at a strategic level (for a summary of prior related research, see Web Appendix A). In the following section, we identify one strategic variable that we argue is capable of improving both prevention and recovery. We then spend the remainder of the article articulating theory and developing evidence to support that view.

CSR and CSR Type

CSR is a firm's commitment to ethical behavior and to undertaking economic development while considering the interests of stakeholders like customers, employees, suppliers, the community, and society at large (Lindgreen, Swaen, and Johnston 2009). This definition emphasizes that CSR, as a firmwide culture, informs various decisions, policies, and routines by aligning them with stakeholders (Grandy and Sliwa 2017; Mayer 2014). It is informed by stakeholder theory, which proposes that the appropriate way to manage a firm is to adopt as the unit of analysis “the relationship between a business and the groups and individuals who can affect or are affected by it” (Freeman et al. 2010, p. 5). Thus, managers are not merely guided by what shareholders want (i.e., maximizing profit) but by a wider set of actors, with the goal of the firm to maximize overall value. Stakeholder theory also extends through the responsibility principle to an understanding that ethics and business operations are immutable. As such, it is a theoretical lens through which much CSR research has been conducted because “engaging in socially responsible behavior is one of the main avenues for firms to build and maintain trusting stakeholder relationships” (D’Arcy et al. 2020, p. 1204).

In the literature, there is a consensus that CSR reflects seven underlying dimensions (e.g., Godfrey, Merrill, and Hansen 2009; Luo et al. 2015), summarized as follows (see also Web Appendix B):

Corporate governance: top management compensation and the firm's record on transparency, accountability, and a lack of accounting controversies.

Employee relations: the firm's record on worker involvement, ownership, benefits, and fair treatment.

Product: the firm's record on innovation, quality, safety, and the provision of unusual or unique benefits to consumers.

Community: the firm's charitable giving, housing and education support for economically disadvantaged people, volunteerism, and related issues.

Diversity: the firm's subcontracting with women and members of racial and ethnic minority groups, as well as policies, benefits, and representation related to women, members of racial and ethnic minority groups, people with disabilities, and LGBTQ+ employees.

Human rights: the firm's activities linked to human rights, including relationships with Indigenous people and labor.

Environment: managerial commitment to the environment (e.g., pollution, recycling, clean energy, waste).

In recognition of theoretical differences across dimensions but also to simplify analyses, to provide actionable advice to managers, and to articulate different explanations (e.g., Clarkson 1995; Godfrey, Merrill, and Hansen 2009; Habel et al. 2016; Homburg, Stierl, and Bornemann 2013), researchers routinely categorize CSR activities. Despite a few minor inconsistencies across the approaches taken, a general pattern emerges corresponding to two categories (Godfrey, Merrill, and Hansen 2009; Luo et al. 2015; Mattingly and Berman 2006). ¹ The first category groups the corporate governance, employee relations, and product dimensions in recognition that they are linked to a firm's primary, technical, and core stakeholders, who are “essential to the operation of the business” (Godfrey, Merrill, and Hansen 2009, p. 429). Theoretically, this category reflects activities aimed at stakeholders “without whose continuing participation the corporation cannot survive” (Clarkson 1995, p. 106), largely by enhancing operational efficiency through resource acquisition, technical capability development, process refinement, and productivity boosts (Homburg, Stierl, and Bornemann 2013). In our theorizing, we refer to this category as internal CSR. The second category groups community relations, environment, diversity, and human rights, which reflect a firm's secondary, institutional, and peripheral stakeholders, who are “those who can influence a firm's primary stakeholders” (Godfrey, Merrill, and Hansen 2009, p. 429). This category largely captures a firm's efforts to bolster reputation and intangible value (Habel et al. 2016), often achieved via actions like donating to help economically disadvantaged people, promoting strong volunteer programs, and developing good relations with unions. We refer to this category as external CSR.

While this approach to categorizing CSR is theoretically useful, in the world, the effects of activities in each category may be fuzzy and not mutually exclusive. For example, at times, it is possible that internal CSR will boost a firm's reputation (Homburg, Stierl, and Bornemann 2013), such as by promoting the firm's image among prospective employees (Aguinis and Glavas 2013; Turban and Greening 1997). Similarly, external CSR can improve employee morale and productivity (D’Arcy et al. 2020), such as in the case of community outreach programs that are associated with employees showing more cooperation at work (Bartel 2001). We are not arguing in favor of a strict application of these two categories but are suggesting they provide a useful way of framing our theoretical explanations around the effects of CSR on data breaches.

As well, in the next section we develop arguments around CSR's effects on the likelihood and impact of data breaches. Part of our rationale depends on various actors’ having an awareness of a firm's CSR activities. There are two main sources of data breaches (KPMG 2022): inside actors (e.g., employees), who, by virtue of their position, are familiar with a firm's CSR activities, and outside intruders (e.g., hackers). How might the latter gain knowledge of a firm's CSR activities? CSR reporting is “mainstream” (Du and Yu 2021, p. 253), and “reporting on CSR initiatives has now become common practice for virtually all major corporations” (Aguinis and Glavas 2013, p. 314), in part because nonvisible CSR is unlikely to have reputational benefits (Minor and Morgan 2011). CSR information appears in stand-alone reports published by firms, financial disclosures, corporate websites, and media reports (e.g., CSR rankings). This information is readily available and routinely accessed by financial analysts and executives (Ramchander, Schwebach, and Staking 2012), prospective employees (Turban and Greening 1997), activist groups (McDonnell and Werner 2016), and other actors. For example, hackers self-describe as having a “Robin Hood” mentality (Young, Zhang, and Prybutok 2007, p. 282), watching for unethical behaviors from companies and using information about their social or environmental standing to justify target selection (Benjamin et al. 2016; Bermiss, Zajac, and King 2014; Carty and Reynoso Barron 2019), and going after firms that do not fulfill their promises (Gandhi et al. 2011; Young, Zhang, and Prybutok 2007) or otherwise appear to have insincere CSR commitments (Aguinis and Glavas 2013; Barnett 2007; D’Arcy et al. 2020).

First Layer of Protection: CSR Prevents Data Breaches

It is an intuitive idea that generally higher levels of CSR will deter intruders. CSR can contribute to a positive halo effect whereby a firm's ethical characteristics shape inferences of its benevolence and integrity (Bhattacharya, Korschun, and Sen 2009), suggesting they should be less appealing targets for ideologically motivated actors. Such firms should enjoy reputations for promoting the well-being of stakeholders, and targeting such firms could be viewed as violating social norms (Wiatrowski, Griswold, and Roberts 1981) and invite more certain and harsher penalties if caught (Young and Zhang 2007; Zhang, Young, and Prybutok 2007). A stronger CSR reputation also signals organizational capabilities (Bhattacharya and Sen 2003), meaning external bad actors may assess that a better relative payoff can be achieved by targeting a less competent firm.

At the same time, in line with stakeholder theory, we anticipate that internal CSR will be more effective than external CSR at preventing data breaches. Internal CSR involves prioritizing stakeholders such as employees and customers and implies investments aimed at improving a firm's core operations, which in the context of data breaches suggests more credible and verifiable efforts to safeguard information (e.g., minimizing the accidental release of data). Higher internal CSR implies a firm orientation toward transparent and accountable operations, meaning greater adherence to auditable standards (e.g., National Institute of Standards and Technology Cybersecurity Framework; see Southwest 2021), more engagement with third-party actors to improve infrastructure (e.g., Automotive Cybersecurity Industry Consortium), more training of employees in safeguarding practices (D’Arcy et al. 2020; Flammer and Luo 2017; Hsu et al. 2015), and adoption of fair information practices as an internal company norm (e.g., Marriott 2021; see also Bélanger and Crossler 2011). In other words, internal CSR implies costly investments in improving processes and technology that are integrated across a firm's operations, in maintaining a vigilant culture (Hsu et al. 2015), as well as prioritizing consumer and employee satisfaction (e.g., Etsy, Cisco, and Hilton; Adam 2023; Fortune 2023).

In contrast, external CSR is aimed at stakeholders who may not be essential for the firm's survival (Clarkson 1995), meaning that these activities may fall outside a firm's routines and operations (Aguinis and Glavas 2013) and implicate bolted-on “acts of social beneficence” (Godfrey, Merrill, and Hansen 2009, p. 429) and other activities that may be incongruent with a firm's main activities (Yoon, Gürhan-Canli, and Bozok 2006), leading firm outsiders to view them skeptically as window-dressing (Connors, Anderson-MacDonald, and Thomson 2017). For example, for many firms, environmental practices remain peripheral (D’Arcy et al. 2020) and are “not tied to an organization's strategy and its core competencies” (Aguinis and Glavas 2013, p. 316), and it is common for firms to make a “multitude of vague and misleading environmental claims” (Furlow 2010, p. 23) that are mainly ceremonial and poorly aligned with major operations that sustain the firm (Angst et al. 2017; Schons and Steinmeier 2016). In the worst cases, rather than protecting firms against data breaches, such activities might be viewed as so insincere as to increase the likelihood of being targeted (D’Arcy et al. 2020). Compared with internal CSR, it seems there is a higher probability that external CSR involves cosmetic activities that do little to improve a firm's business practices and operational effectiveness (Homburg, Stierl, and Bornemann 2013).

However, consistent with research suggesting that CSR has curvilinear effects (e.g., Chen et al. 2018; Vlachos et al. 2013), we propose that at high levels of internal CSR, there are diminishing returns to preventing data breaches. That is, we anticipate that at both moderate and high levels, internal CSR will be associated with reduced motivations to attack a firm. First, data breaches attempted by insiders should be minimized: employees will be unmotivated to betray their own firm because they lack the requisite levels of dissatisfaction to do so (Lacey, Kennett-Hensel, and Manolis 2015). Whereas low internal CSR implies that employees feel mistreated and disrespected, moderate CSR implies a positive degree of satisfaction, engagement, and morale (Bergami and Bagozzi 2000), suggesting they lack the retributive mindset to attempt a deviant (Spreitzer and Sonenshein 2004) and potentially illegal breach.

Second, data breaches attempted by outsiders should be reduced. Prior work suggests that breaches are undertaken to punish firms that lack commitment to or demonstrate hypocrisy in their CSR efforts (see D’Arcy et al. [2020] for a review). However, even moderate levels of internal CSR signal reasonable duty of care (Freeman 1984) and basic adherence to norms of transparency and accountability, to good-faith efforts at avoiding controversy, and to upholding values like worker safety or protecting the environment (Farah et al. 2021). For ideologically driven intruders, it is difficult to portray companies that abide by the industry status quo as such bad actors lacking moral capital that they deserve to be violated.

Third, for outsiders who have other motivations like financial gain, moderate levels of internal CSR imply the firm is not low-hanging fruit subject to easy breach. Whereas firms with low levels of internal CSR are vulnerable, firms with moderate levels of internal CSR signal competence in their capabilities (Bhattacharya and Sen 2003), which in the context of data breaches suggest the hacker will encounter reasonable resistance. For example, even modest internal CSR investments suggest that attacks will be relatively time-consuming, resource-intensive, and risky (Angst et al. 2017; Kwon and Johnson 2018). Those undertaking data breaches for nonideological reasons are opportunistic and are likely to target firms with low internal CSR due to their less integrated and more porous systems, poor employee morale, less top management prioritizing of avoiding controversy, and so on (Sen and Borle 2015). Firms do not need to project superiority on internal CSR to dissuade efforts at data breaches.

H_1a: Internal CSR is associated more with reduced data breach likelihood than external CSR.

H_1b: The suppression effect of internal CSR diminishes at high levels.

Second Layer of Protection: CSR Helps Recovery Following a Data Breach

CSR also has implications for how well a firm recovers from a data breach. We focus on a firm's short- and long-term financial performance following a breach because this approach denotes consequential empirical harm to companies and brands. Generally paralleling the arguments we made in the previous section, internal CSR should be better than external CSR in serving postbreach recovery because of its focus on building competence and confidence among primary stakeholders. For example, internal CSR prioritizes employee satisfaction, suggesting such firms should be able to attract, retain, and engage the types of skilled employees who will be capable of administering a fast and effective response (e.g., Aguinis and Glavas 2013, 2019). ² Similarly, CSR that addresses how to support customers and to extend market offerings that align with their values are more likely to foster strong identification and loyalty (Aguinis and Glavas 2013; Sen and Bhattacharya 2001) that promote forgiveness and help firms weather serious crises (Sinha and Lu 2016; Tsarenko and Tojib 2015). Conversely, consistent with arguments that financial analysts discount CSR signals relating to firm intangibles (Orlitzky 2013), CSR focused on secondary stakeholders does not generally address core business practices and risks being interpreted as symbolic, meaning it will contribute less to salvaging the firm's financial performance following a data breach.

However, in contrast to our argument in the previous section, where we argued that moderate and high levels of internal CSR should be comparable in terms of preventing data breaches because of their similar motivational effects, we think that an effective recovery from an experienced data breach will only be associated with high levels of internal CSR. Breaches pertain to the unintended release of sensitive information such as medical (e.g., health records), financial (e.g., credit cards), and other data (e.g., social security numbers). The default expectation applied to companies possessing such information is the preservation of data integrity. When a breach occurs, the violation of trust and production of actual harm cannot be offset by any modest reputational advantages signified by average CSR investments (Luo et al. 2015). Only high levels of internal CSR imply the type of exceptional managerial and operational effectiveness (Flammer 2013; Pedersen, Fitzgibbons, and Pomorski 2021) and orientation to the concerns of primary stakeholders that will produce a response that is materially better (e.g., recognition, containment, recovery; Khan et al. 2021) than market expectations. Stated differently, superior internal CSR corresponds to outstanding goodwill, resource access, employee engagement, product management, and financial strength (Barnett 2014; Godfrey 2005; McWilliams and Siegel 2011) that may convince consumers that the firm is not culpable for the breach and persuade investors that the firm is resilient in crisis. This view is consistent with arguments and evidence that CSR levels have to reach high levels, associated with superior moral capital, for its risk-reduction features to be activated (Farah et al. 2021). When firms with exceptional CSR credentials experience a breach, its cause is likely to be described as “bad luck rather than bad management, saving the firm money, avoiding regulatory scrutiny, and preserving the value of its brand” (Minor and Morgan 2011, p. 42). Firms with superior internal CSR will exhibit excellence in crisis response and garner favorable assessments and investment endorsements following a breach (Ioannou and Serafeim 2015).

H_2a: Internal CSR is associated more with superior financial performance following a data breach than external CSR.

H_2b: Internal CSR is associated with effective recovery only at high levels.

Studies

We conduct three studies: Study 1 explores whether CSR prevents actual data breaches. Studies 2a and 2b examine CSR's mitigation of data breach damages in the context of short-term and long-term financial performance, respectively.

Pretests

In Web Appendices C through G, we detail the results of two surveys involving consumers and professionals that provide empirical support for the application of two categories corresponding to primary (corporate governance, employee relations, product) and secondary (community relations, diversity, human rights, environment) stakeholders. Those results confirm that the former is more strongly linked to firms’ efforts to enhance operational efficiency and productivity (i.e., internal), and the latter is more closely linked to firms’ efforts to improve their image and reputation (i.e., external). We carry forward this categorization to the studies described next.

Study 1: CSR and the Likelihood of Actual Data Breach

Study 1 investigates the effect of CSR on data breach occurrences across U.S. public firms representing different industries between 2005 and 2018.

Data

We obtained data from three sources. First, we retrieved firms’ CSR performance data from the KLD database, which has been used extensively in prior CSR research (Flammer 2015; Ioannou and Serafeim 2015; Luo et al. 2015). KLD ratings cover 37 key issues reflecting the seven CSR dimensions outlined previously (corporate governance, employee relations, product, community relations, diversity, human rights, environment). Positive scores on each dimension indicate a firm strength, whereas negative scores indicate a firm weakness. Following prior research (Ioannou and Serafeim 2015), we constructed a firm's overall CSR performance as the sum of CSR strengths minus the sum of CSR weaknesses across all seven dimensions. Second, we obtained data about actual breaches from Privacy Rights Clearinghouse (PRC), a standard approach in the literature (e.g., Angst et al. 2017; Kwon and Johnson 2018). Established in 1992 by the University of San Diego School of Law, PRC publishes identity theft reports, tracks data breaches across industries, and provides victim assistance for public interest (Sen and Borle 2015). Last, we collected firm-level financial performance data from Compustat. Our final data set consists of 20,700 firm-year observations with 266 identified data breaches over 14 years. The data set reflects 3,089 unique firms (we list distribution by industry in Web Appendix H).

Measures

The incidence of a data breach is coded as an indicator variable equaling 1 if a firm experienced at least one data breach during a fiscal year and 0 otherwise. Consistent with prior research (Godfrey, Merrill, and Hansen 2009; Luo et al. 2015) and sustained by our pretest results, we created two CSR categories associated with primary (internal CSR) and secondary (external CSR) stakeholders. The CSR measures are industry-median-centered to control for heterogeneity of CSR performance across industries. After median splitting, high internal or external CSR takes a base value of 0 but is set to be the deviation from (the value over) the median when greater than the industry median. We chose the kink point of median CSR because it represents the average CSR performance within an industry (in terms of ranking and free from bias due to outliers), and this information is often obtained and is easily understood and interpreted by managers.

High _ Internal _ CSR = { 0 , if Internal _ CSR ≤ median ( Internal _ CSR ) . Internal _ CSR − median ( Internal _ CSR ) , otherwise .

(1)

High _ External _ CSR = { 0 , if External _ CSR ≤ median ( External _ CSR ) . External _ CSR − median ( External _ CSR ) , otherwise .

(2)

We include a set of control variables. As data security and maintenance rely on firms’ investment in infrastructure and technology (Mcleod and Dolezel 2018), we control for a firm's intensity of plant, property, and equipment (PPE) measured as the net gross value of PPE scaled by total assets. We account for a firm's marketing and sales expenses measured as log-transformed advertising expenditures because high popularity and awareness indicated by huge advertising expenditures attract attacks (Ettredge, Guo, and Li 2018). We include the log-transformed research and development (R&D) expenditures to represent firms’ investments in innovation since R&D expenditures on skilled researchers and better hardware and software products reduce security vulnerability (Ettredge, Guo, and Li 2018). Moreover, to account for firms’ operational complexity, business risk, and financial condition, we add variables including the number of firms’ analysts and analyst expectations to control for media coverage; litigation risk, an indicator that takes 1 if a firm is in an industry with high litigation risk and 0 otherwise; total assets; sales revenues; firm growth in size; return on assets; leverage ratio; the number of business and geographic segments; cash holdings; firm age; market concentration measured by the Herfindahl–Hirschman index (HHI); market size; last year's number of breaches and the cumulative number of breaches in the industry; and the cumulative number of breaches for the firm, as well as year and industry indicators. Table 1 reports the definitions and operationalization of all variables. Descriptive statistics and correlation matrix of the variables are reported in Web Appendix I.

OPEN IN VIEWER

Table 1.

Variable Definitions.

Conceptual Variable	Notation	Measured Variable	Data Source	Used in Study
				1	2a	2b
Data breach	Data_Breach	Equals 1 if a sample firm experiences at least one data breach event during its fiscal year and 0 otherwise	PRC	✓	✓	✓
Overall CSR	CSR	Average net scores (the difference between CSR strengths and weaknesses) across corporate governance, product liability, employee relation, community, humanity, diversity, and environmental categories	KLD	✓	✓	✓
Internal CSR	Internal_CSR	Average net scores (the difference between CSR strengths and weaknesses) across corporate governance, product liability, and employee relation categories	KLD	✓	✓	✓
External CSR	External_CSR	Average net scores (the difference between CSR strengths and weaknesses) across community, humanity, diversity, and environmental categories	KLD	✓	✓	✓
Cumulative abnormal return	CAR	Cumulative abnormal return estimated with a Fama–French–Carhart four-factor model by accounting for four distinct risk factors (market, size, value, and momentum)	Compustat		✓
Tobin's q	Tobin's q	Firm's Tobin's q ratio improved by Peters and Taylor (2017)	Compustat			✓
PPE intensity	PPE Intensity	Net gross value of PPE scaled by total assets	Compustat	✓		✓
Advertising expense	AD	Log-transformed advertising expenditures	Compustat	✓		✓
R&D expense	RD	Log-transformed research and development expenditures	Compustat	✓		✓
Litigation risk	Litigation	Equals 1 if the sample firm is in the industry with high litigation risk and 0 otherwise	Compustat	✓	✓	✓
Firm assets	Assets	Log-transformed value of firm assets	Compustat	✓		✓
Sales	Sales	Sales revenues scaled by total assets	Compustat	✓		✓
Growth	Growth	Firm's growth in size (proxied with sales revenue)	Compustat	✓		✓
Return on assets	ROA	Return on assets	Compustat	✓	✓	✓
Leverage ratio	Leverage	Leverage ratio	Compustat	✓	✓	✓
Segments	Segments	Log-transformed number of business and geographic segments	Compustat	✓	✓	✓
Market concentration	HHI	Measured by Herfindahl–Hirschman index	Compustat	✓	✓	✓
Firm age	Age	Log-transformed firm age	Compustat	✓	✓	✓
Firm size	Size	Log-transformed market value	Compustat		✓
Book-to-market ratio	BTM	Book-to-market ratio	Compustat		✓
Market-to-book ratio	MTB	Market-to-book ratio	Compustat			✓
Accruals	Accrual	Total asset-scaled difference between earnings before extraordinary items and operating cash flows	Compustat		✓
Earning variation	Std Earnings	Standard deviation of operating income scaled by lagged assets during the previous five years	Compustat			✓
Number of analysts	Analysts	Number of analysts	I/B/E/S	✓	✓	✓
Analysts’ expectation	Analysts’ Expectation	Defined as (the number of financial analysts adjusting high − the number of financial analysts adjusting low) / (the number of financial analysts adjusting high + the number of financial analysts adjusting low)	I/B/E/S	✓	✓	✓
Institutional owner	Institution Owner	Percentage of shares held by institutional owners	I/B/E/S			✓
Cash holding	Cash	Log-transformed cash at the year end	Compustat	✓	✓	✓
Market size	MarketSize	Log-transformed market value for firms in the industry	Compustat	✓	✓	✓
Lag industry data breach	IndustryBreach	Lag-year number of data breaches in the industry	PRC	✓	✓	✓
Cumulative industry data breach	IndustryCumBreach	Cumulative total number of data breaches of the firm	PRC	✓	✓	✓
Cumulative firm data breach	CumBreach	Cumulative total number of data breaches of the firm	PRC	✓	✓	✓
Data breach severity	Severity	Log-transformed number of affected consumers or victims of a data breach	PRC		✓	✓
Breach of financial information	Financial	Breached data involve financial information	PRC		✓	✓
Breach of social security number or medical information	SSNMedical	Breached data involve social security number or medical information	PRC		✓	✓
Breach by hacker	Hacker	Data breach caused by a hacker attack	PRC		✓	✓
Breach by equipment theft	Equipment	Data breach caused by theft of equipment	PRC		✓	✓

Notes: To balance information sufficiency and model parsimony, we added control variables in each study based on the nature of the dependent variable, theoretical considerations, and empirical relevance. I/B/E/S = Institutional Brokers’ Estimate System.

Model

To test our proposition, we estimate the following logistic regression:

Pr ( Data _ Breach t ) = β 0 + β 1 × Internal _ CSR t − 1 + α 1 × High _ Internal _ CSR t − 1 + β 2 × External _ CSR t − 1 + α 2 × High _ External _ CSR t − 1 + Σ C φ c × Control c + Σ D γ d × Year _ Indicator d + Σ S ϕ s × Industry _ Indicator s + ε .

(3)

With this model specification and variable construction, β₁ (β₂) captures the main effect of Internal_CSR (External_CSR), and α₁ (α₂) shows how the slope of β₁ (β₂) changes after the median point, that is, the incremental (i.e., kink) effect of High_Internal_CSR (High_External_CSR). At the low-median range, CSR takes the slope of β₁ (β₂), and past the median point, at the median-high range, the slope tilts to β₁ + α₁ (β₂ + α₂). Combining β₁ (β₂) and α₁ (α₂) allows us to test the asymmetric patterns of CSR effects with a continuous linear relationship bent at the kink point. Compared with a conventional curvilinear specification to test the asymmetric effect, this linear relationship conceptually and visually better presents our proposed asymmetric effect.

We adopt industry-level fixed-effects instead of firm-level fixed-effects because of our unbalanced panel with a large portion of firms having a limited number of within-firm observations and the lack of within-firm variation for the dependent and key study variables. Therefore, we include broader fixed effects at the industry level (DeHaan 2021, p. 21). To minimize the potential omitted variable bias, we include quite a few control variables to capture the firm-level characteristics that may affect the dependent variable. We adopt these specifications and controls for all analyses in this study.

The CSR performance (Internal_CSR or External_CSR) of a firm may be endogenous due to unobserved factors (e.g., firm-level strategies and actions), even though our model includes a large number of control variables that could affect both data breach occurrence and CSR. We employ a two-stage least squares (2SLS) estimation to correct for potential endogeneity (Greene 2018), with two instrumental variables (IVs) that satisfy both relevance and excludability. Consistent with CSR literature (e.g., Cai, Jo, and Pan 2012; Kim, Li, and Li 2014), we adopt the IV of lag industry CSR of the same type (internal or external), computed at the industry mean. Prior research suggests that firm-level CSR is closely related to its industry norm (relevance), which reflects the varying nature of products produced, regulatory environments, and shifting social trends across industries (e.g., McWilliams and Siegel 2011; Waddock and Graves 1997). It is not obvious that industry-level CSR influences individual firms’ data breach likelihood (excludability). Moreover, following existing literature (e.g., McAlister, Srinivasan, and Kim 2007; Tang, Fang, and Wang 2014), we used the lagged value of the endogenous variable as the second IV. These lag firm (internal or external) CSR terms “are apt to be correlated with their current values” (relevance), and, “since they occur temporarily prior, they cannot be influenced by the contemporaneous shocks” (excludability) (Jacobson 1990, p. 82). In the first stage, we use them to estimate the CSR variables, which are further used to reconstruct the high/low CSR indicator. The relevant endogenous variables are then replaced in second-stage estimation. Our proposed IVs passed validity tests (Wooldridge 2012). Specifically, for the relevance test, the Cragg–Donald Wald F-statistic of IVs is over 11,500 for internal CSR and over 12,500 for external CSR (above the critical value of 10), and the coefficients of both IVs are significant in the first-stage regression. All these rule out the concern of weak instruments. For the exogeneity test, the Sargan statistic of IVs is .01 (p = .92) for internal CSR and 1.04 (p = .31) for external CSR, suggesting that the overidentifying restrictions are valid and the instruments are exogenous.

Results

Table 2 reports the relationship between CSR and data breach occurrence. Model 1 focuses on aggregate CSR. Model 2 and Model 3 delve into internal and external CSR, respectively. Model 4 simultaneously examines the effects of internal and external CSR. We find that overall CSR is associated with lower data breach likelihood (β = −.2585, p < .01), and high CSR mitigates the prevention of data breaches (α = .2797, p < .01). We also discern patterns between internal and external CSR. Model 4 shows that internal CSR is associated with low data breach likelihood (β = −.4709, p < .01), but there is a significant kink effect for high internal CSR (α = .5846, p < .01), indicating that high (vs. medium) internal CSR is not associated with a lower likelihood of data breach (in support of H_1b). In support of H_1a, for external CSR, neither the main effect (β = .2064, p = .15) nor the kink effect (α = −.1080, p = .49) is significant. We then plot the marginal effect of CSR on (logit) data breach probability in Figure 2.

OPEN IN VIEWER

Figure 2.

CSR's Effect on Firm Data Breach Likelihood (Study 1).

OPEN IN VIEWER

Table 2.

CSR and Data Breach Likelihood.

	Overall CSR		Internal CSR		External CSR		Both Internal and External CSR
	Model 1		Model 2		Model 3		Model 4
Base effect
CSR	−.2585***
Internal CSR			−.4676***				−.4709***
External CSR					.2527*		.2064
Incremental (kink) effect of high CSR
High CSR	.2797***
High internal CSR			.6095***				.5846***
High external CSR					−.1863		−.1080
Controls
PPE intensity	−.7989*		−.8908**		−.6805		−.8764**
Advertising expense	.0706**		.0636*		.0648*		.0546
R&D expense	.0146		.0279		.0004		.0173
Litigation risk	.4909		.4611		.4245		.4206
Firm assets	.3932***		.3295***		.3779***		.2824***
Sales	.5773***		.5292***		.6068***		.5133***
Growth	2.8301		2.5779		3.2224		2.8324
Return on assets	.3674		.4454		.2938		.3686
Leverage ratio	.6147		.5708		.7389*		.5955
Segments	−.0616		−.0687		−.0420		−.0739
Firm age	−.2714		−.2973		−.4121		−.4064
Cash holding	.1249*		.1001		.0962		.0900
Market concentration	−.7065		−.7799		−.6039		−.6968
Market size	−.1094		−.1230*		−.1057		−.1187*
Number of analysts	.0363***		.0374***		.0303***		.0349***
Analysts’ expectation	.0558		.0436		.0560		.0395
Lag industry data breach	.5509***		.5261***		.5373***		.5231***
Cumulative industry data breach	−.0489***		−.0430***		−.0448***		−.0414***
Cumulative firm data breach	.5224***		.4742***		.5223***		.4647***
Year fixed effects	Yes		Yes		Yes		Yes
Industry fixed effects	Yes		Yes		Yes		Yes
Intercept	−8.2082***		−7.0575***		−7.9489***		−6.4372***
Number of data breaches	266		266		266		266
Number of nondata breaches	20,434		20,434		20,434		20,434
Number of observations	20,700		20,700		20,700		20,700
Likelihood ratio chi-square	680***		704***		672***		709***
Score chi-square	1,164***		1,224***		1,174***		1,253***
Wald chi-square	590***		617***		592***		624***
−2 log likelihood	2,166		2,141		2,173		2,136
Akaike information criterion	2,260		2,235		2,267		2,234
First-Stage Regression
Instrumental variable
Lag industry CSR	−.0636**
Lag firm CSR	.7342***
Lag industry internal CSR			−.1528***				−.1528***
Lag firm internal CSR			.7081***				.7081***
Lag industry external CSR					.0650***		.0650***
Lag firm external CSR					.7277***		.7277***
Controls
Control variables	Yes		Yes		Yes		Yes
Year fixed effects	Yes		Yes		Yes		Yes
Industry fixed effects	Yes		Yes		Yes		Yes
R-square	.6750		.6291		.6997		.6291/.6997
Adj. R-square	.6737		.6276		.6985		.6276/.6985

*p < .10. **p < .05. ***p < .01.

Robustness checks

We ran several robustness checks to validate the results (Web Appendix J). First, heterogeneity and serial correlation may cause bias in the estimation of panel data. Therefore, we ran the model with two-way (industry and year) clustered standard errors. This adjustment produces a different error variance for each cluster, thereby controlling for heteroskedasticity and serial correlation within clusters. The results are robust, ruling out these potential concerns. Second, we explored an alternative curvilinear model to study the asymmetric effects of CSR with continuous CSR-related measures. The results show a similar nonlinear relationship pattern as our proposed model, leading us to the same conclusions vis-à-vis our hypothesis. This specification relaxes the kink point assumption and allows the data to show where the turning point is. All turning points are within the meaningful range (−2σ, +2σ) from the µ of study data. Third, to verify the moderation effects between low and high (internal or external) CSR, we conducted split data analysis on the subset of low and high (internal or external) CSR, respectively, and compared the patterns of estimates. Fourth, the yearly occurrence of data breaches might be low in granularity, so we ran a model with higher levels of granularity at the quarterly level, which our firm-level data can accommodate. Fifth, we ran a linear probability panel regression to fix the panel logit problem when there is a lack of within-group variation in incidents (Hsiao 2007). Sixth, to capture unobserved firm-specific characteristics, we ran a firm-level random effects model while pooling information from all observations, and the results are robust. Seventh, we further ran models with firm-level fixed effects. The results are largely consistent, while the statistical inferences differ due to the noninformativeness during estimation for a significant portion of firms with a limited number of observations and low or no within-firm variation of key variables (DeHaan 2021). This leads to less significant results for the firm fixed-effects model and an unestimated coefficient for the variable of litigation risk. Last, as data breaches occurred with only 1.26% likelihood in our study, to address the “rare event” issue and check the robustness of our estimates, we ran an additional analysis using the rare-event logistic regression (King and Zeng 2001). The pattern of results linked to our hypotheses remains unchanged.

Posttests

We conducted three posttests. Study 1 collapsed across breaches by inside and outside intruders, but separating by breach type might shed light on the suppression effects of internal versus external CSR against insider and outsider perpetrators, respectively. So, in Posttest 1.1, per the definitions and descriptions from PRC data, we classified data breaches into three groups: (1) an insider breach is perpetrated by a company insider (employee, contractor, or customer) or is associated with an insider's unintended disclosure; (2) an outsider breach occurs when the data are hacked by an outside party or infected by malware; and (3) the source of a breach is not determined. The results (Web Appendix K) show that internal CSR has a curbing effect on all types of breaches (insider, outsider, and undetermined). Consistent with our main model finding, its suppression diminishes at high CSR. External CSR does not suppress the likelihood of any type of breach. These results reinforce that internal CSR reduces the likelihood of data breaches by bad actors both within and outside the firm.

In Posttest 1.2, by merging our data with information from Glassdoor, the leading website for company reviews by former and current employees, we examined CSR's impact on data breaches via employee morale and satisfaction, which is captured with three variables: senior management rating (score), employers recommending (the ratio of the difference between the number of reviews recommending and not recommending the employer over the total number of reviews), and CEOs approving (the ratio of the difference between the number of reviews approving and disapproving the CEO over the total number of reviews). The results (Web Appendix L) show that internal CSR boosts employee morale and satisfaction with the firm and its management, which in turn reduces data breach likelihood. In other words, all three variables mediate internal CSR's effect on data breach. In comparison, external CSR indirectly suppresses data breaches only through the employers recommending variable (but not the other two variables).

Last, we wondered whether listening to the consumer in the context of designing defenses against data breaches made sense. Such a view seems supported by Martin, Borah, and Palmatier (2017), wherein the authors (Study 3) measure changes in consumer perceptions of data vulnerability as a function of transparency and control, with the results showing that higher levels of both factors cause consumers to feel more secure (i.e., less vulnerable). Analogously, in Posttest 1.3 we conducted an experiment to obtain consumer perceptions of the relationship between CSR and data breaches. We employed a 2 (CSR type: internal vs. external) × 3 (CSR performance: low vs. medium vs. high) between-subjects design and asked consumers to predict a firm's data breach likelihood (Web Appendix M). Overall, the results reveal what is interpretable as a halo effect (a negative link between CSR performance and perceived data breach likelihood) with no difference in impact between internal and external CSR. We effectively asked consumers what factors they think will suppress data breach likelihood, and their responses endorse a favorable role for CSR without distinguishing between types of CSR. To the extent that one views Prolific panelists as approximating the real consumers, this result describes a gap between what they believe (external CSR spending helps prevent breaches) and what our data inform us about actual data breaches (i.e., a null effect). There may still be some benefits associated with external CSR spending—for example, it is likely to make consumers feel more secure—but the results of Study 1 suggest that if the marketer's goal is to secure consumer data, enthusiastic spending on external CSR may be a choice to avoid.

Discussion

Study 1 supports our theorizing that internal CSR is more effective in safeguarding consumer data. For firms, improving internal CSR helps reduce data breach likelihood, but only to the extent of meeting industry-level CSR performance because the incremental suppression effect is marginal with high CSR. Internal CSR reduces the likelihood of both insider and outsider breaches, and engaging in external CSR would not help firms in this regard. We further show that CSR, especially internal CSR engagement, motivates employees and, in turn, reduces data breach likelihood. Our supplementary experimental research demonstrates that consumers generally recognize the association between CSR performance and the diminished likelihood of data breaches; however, they appear to have a limited understanding of the distinct effects of internal and external CSR.

Study 2a: CSR and Recovering from a Data Breach: Short-Term Financial Performance

Throughout this article, we suggest that preventing and recovering from data breaches are connected phenomena and that ideally firms should identify and employ strategies that address both. In Study 1, we addressed prevention. Here, we adopt an event study to investigate CSR's impact on stock market reactions to data breaches, with Study 2a starting with an examination of short-term effects. Marketing scholars have employed event studies to assess the effects of internal (e.g., product release) and external (e.g., mandatory recalls) events on short-term stock market returns (Sorescu, Warren, and Ertekin 2017). We focus on cumulative abnormal return (CAR) estimated with a Fama–French–Carhart four-factor model by accounting for four distinct risk factors (market, size, value, and momentum). Detailed CAR estimation procedures are described in Web Appendix N.

Data

Using the same data source as Study 1, we merge information on data breaches, CSR, and firm financials. We checked and eliminated data points with potential confounding events around the (−1, +1) window such as dividend declarations, earnings information, and news on major positive or negative business events such as new product announcements, major sales, or mergers and acquisitions, resulting in a sample of 301 data breaches with CAR measures. After we eliminated observations with missing variables for regression analysis, 278 remained. ³

Measures

The key dependent measure for the regression model is CAR with a (−1, +1) time window to allay a potential information leakage or delay effect. This time window is chosen based on a set of statistics, including Patell's t, generalized sign Z, and the absolute value of CAR (Godfrey, Merrill, and Hansen 2009; Rasoulian et al. 2023). Web Appendix O reports CARs for an array of different time windows, and Web Appendix P summarizes the set of statistics of these CARs. The data breach, internal CSR, external CSR, high internal CSR, and high external CSR variables are defined as in Study 1. We include additional predictors: firm size, the log-transformed firm market value; the book-to-market ratio; and accruals, the difference between earnings before extraordinary items and operating cash flows, scaled by total assets. In addition, return on assets, leverage ratio, firm age, litigation risk, segments, cash holding, HHI, market size, number of analysts, analysts’ expectation, last year’s number of breaches in the industry, cumulative breaches in the industry, and cumulative breaches for the firm are measured as in Study 1. We also control breach-related variables of severity (Martin, Borah, and Palmatier 2017) and breach (information) type (financial data, social security number or medical data, hacker attack, and theft of equipment) (Rasoulian et al. 2023). Table 1 details variable definitions and construction with summary statistics reported in Web Appendix Q.

Model

We conducted two analyses. First, we checked the pattern of firms’ CAR after data breaches against different types and performance levels of CSR. Second, for rigor, we ran fixed-effects 2SLS regression to show the effect of CSR on firms’ CAR.

CAR = β 0 + β 1 × Internal _ CSR t − 1 + α 1 × High _ Internal _ CSR t − 1 + β 2 × External _ CSR t − 1 + α 2 × High _ External _ CSR t − 1 + Σ C φ c × Control c + Σ D γ d × Year _ Indicator d + Σ S ϕ s × Industry _ Indicator s + ε ,

(4)

where β₁ (β₂) captures the main effect of Internal_CSR (External_CSR), and α₁ (α₂) shows the incremental (i.e., kink) effect of High_Internal_CSR (High_External_CSR). In this model, endogeneity concerns exist (i.e., firms’ CSR activity can be endogenously determined). We take the same approach as Study 1 for endogeneity control and both IVs show validity. Specifically, for the relevance test, the Cragg–Donald Wald F-statistic of IVs is 49 for internal CSR and 109 for external CSR (i.e., above 10), and the coefficients of both IVs are highly significant in the first-stage regression. For the exogeneity test, the Sargan statistic of IVs is 1.173 (p = .28) for internal CSR and 1.411 (p = .24) for external CSR.

Results

Table 3 reports the effect of a data breach in terms of CAR with a (−1, +1) time window, which is graphed in Figure 3, Panels A and B. The overall patterns across CARs with different time windows are largely consistent (see Web Appendix O, which depicts our findings on CARs with different time windows across low, medium, and high CSR groups). At the aggregate level, stock market reaction is negative for low CSR performance (CAR = −.762%, p = .08) and improves with better CSR performance at medium (CAR = −.204%, p = .52) and high (CAR = −.169%, p = .38) levels. An examination of internal and external CSR provides insights. For internal CSR, both low (CAR = −.694%, p = .01) and medium CSR (CAR = −.550%, p = .09) performance have similar negative CAR. Meanwhile, high internal CSR (CAR = .320%, p = .20) leads to a significantly different, nonnegative CAR. For external CSR, low performance results in a negative CAR (−1.165%, p < .01), while medium (CAR = −.282%, p = .54) and high external CSR (CAR = −.058%, p = .73) are associated with estimates statistically indistinguishable from zero.

OPEN IN VIEWER

Figure 3.

CAR After a Data Breach by Types and Levels of CSR.

OPEN IN VIEWER

Table 3.

CAR After a Data Breach by Types and Levels of CSR.

	Overall CSR			Internal CSR			External CSR
	Low	Medium	High	Low	Medium	High	Low	Medium	High
Number of observations	71	77	153	125	75	101	58	62	181
CAR (−1, +1)
Mean	−.762%	−.204%	−.169%	−.694%	−.550%	.320%	−1.165%	−.282%	−.058%
Pos:Neg	31:40	31:46	70:83	49:76	28:47	55:46	18:40	32:30	82:99
T-statistic	−1.79	−.64	−.88	−2.59	−1.70	1.30	−2.70	−.62	−.35
p-Value	.08	.52	.38	.01	.09	.20	.01	.54	.73

The regression results demonstrate the marginal effect of CSR on CAR with a (−1, +1) time window after a data breach (Table 4). Model 1 tests global CSR's mitigation of negative CAR due to data breaches. Model 2 and Model 3 have similar setups while focusing on internal and external CSR, respectively. Model 4 simultaneously examines internal and external CSR effects on performance. The aggregated CSR shows no association (.0000, p = .99) with CAR and no kink effect (.0019, p = .45) for high CSR. An examination of internal and external CSR reveals different patterns. Model 4 estimates show the insignificant base association between internal CSR and CAR (−.0029, p = .14), which only turns positive at high internal CSR (.0077, p = .03). In comparison, external CSR is positively associated with CAR (.0107, p = .02) with the association largely mitigated for high external CSR (−.0094, p = .05). We plot the marginal effect of CSR on CAR in Figure 4. Because both medium and high levels of external CSR protect firms from negative shocks from data breaches, H_2a is not supported. Meanwhile, only high levels of internal CSR protect firms from these negative shocks, supporting H_2b.

OPEN IN VIEWER

Figure 4.

CSR's Effect After a Data Breach: Short-Term Financial Performance (CAR) (Study 2a).

OPEN IN VIEWER

Table 4.

Regression Analysis: CSR's Effect on CAR After a Data Breach.

	Overall CSR		Internal CSR		External CSR		Both Internal and External CSR
	Model 1		Model 2		Model 3		Model 4
Base effect
CSR	.0000
Internal CSR			−.0027				−.0029
External CSR					.0114**		.0107**
Incremental (kink) effect of high CSR
High CSR	.0019
High internal CSR			.0085**				.0077**
High external CSR					−.0098**		−.0094*
Controls
Data breach severity	−.0007*		−.0007**		−.0007**		−.0007**
Breach of financial information	.0013		.0016		.0028		.0037
Breach of social security number or medical information	.0061		.0073*		.0054		.0068*
Breach by hacker	−.0044		−.0045		−.0048		−.0048
Breach by equipment theft	.0002		.0000		.0010		.0006
Firm size	.0012		.0009		.0005		−.0001
Book-to-market ratio	.0042		.0031		.0048		.0037
Return on assets	−.0035		−.0036		.0033		−.0001
Leverage ratio	.0058		.0045		.0062		.0046
Accruals	.0778**		.0739**		.0771**		.0729**
Firm age	−.0253**		−.0231**		−.0257***		−.0264***
Litigation risk	.0149		.0114		.0103		.0093
Segments	.0025		.0027		.0017		.0016
Cash holding	−.0009		−.0005		−.0008		−.0009
Market concentration	.0313**		.0264**		.0278**		.0263*
Market size	.0058***		.0055***		.0049**		.0050**
Number of analysts	−.0002		−.0002		−.0002		−.0003
Analysts’ expectation	.0004		−.0003		.0010		.0006
Lag industry data breach	−.0009		−.0011		−.0014		−.0012
Cumulative industry data breach	.0000		.0000		.0001		.0000
Cumulative firm data breach	−.0006		−.0008		−.0002		−.0001
Year fixed effects	Yes		Yes		Yes		Yes
Industry fixed effects	Yes		Yes		Yes		Yes
Intercept	−.0527**		−.0474*		−.0303		−.0248
Number of observations	278		278		278		278
F-value	1.31*		1.39*		1.45**		1.51**
R-square	.2069		.2164		.2236		.2408
Adjusted R-square	.0490		.0603		.0690		.0816
First-Stage Regression
Instrumental variable
Lag industry CSR	−.2457**
Lag firm CSR	.7512***
Lag industry internal CSR			−.2272***				−.2279***
Lag firm internal CSR			.7092***				.7092***
Lag industry external CSR					.0751***		.0751***
Lag firm external CSR					.7354***		.7354***
Controls
Control variables	Yes		Yes		Yes		Yes
Year fixed effects	Yes		Yes		Yes		Yes
Industry fixed effects	Yes		Yes		Yes		Yes
R-square	.6056		.6092		.6941		.6092/.6941
Adj. R-square	.6052		.6078		.6930		.6278/.6930

*p < .10. **p < .05. ***p < .01.

Robustness checks

Similar to what we did in Study 1, we performed additional analyses to assess the robustness of the results (Web Appendix R). First, we ran an alternative curvilinear model to assess the asymmetric effects of CSR with continuous measures. The results show a pattern consistent with our proposed model that also supports the same conclusions vis-à-vis our hypotheses. Second, we conducted split data analysis on the subset of low and high (internal or external) CSR, respectively, to validate the differential effect of high versus low (internal or external) CSR. All results are consistent with our main model.

The results from our analyses display a consistent pattern. In the short term, both internal and external CSR protect firms from negative stock market reactions, as firms with high internal CSR, and medium and high external CSR experienced nonnegative CAR.

Study 2b: CSR and Recovering from a Data Breach: Long-Term Financial Performance

Study 2b examines CSR's impact on long-term financial performance after a data breach.

Data

We rely on the same source data for CSR, data breaches, and financials as Study 1. Our final data set consists of 18,971 firm-year observations from 2,883 unique firms (see Web Appendix H for industry distribution).

Measures

We measure long-term firm financial performance with Tobin's q (Peters and Taylor 2017), which captures market value relative to replacement value, including intangible capital in the denominator, formulated as (market value of common shares + preferred shares + long-term debts + current liabilities − (current assets − inventories))/total assets. Data breach incidence, internal or external CSR, and high internal or external CSR are defined as in Study 1. We include additional predictors for Tobin's q: earning variation (the standard deviation of operating income scaled by lagged assets over the previous five years), market-to-book ratio, and institutional owner (the percentage of shares held by institutional owners). The remaining controls (advertising expense, R&D expense, PPE intensity, litigation risk, firm assets, sales, growth, segments, leverage ratio, return on assets, firm age, HHI, cash holding, number of analysts, market size, analysts’ expectation, last year’s number of breaches in the industry, cumulative breaches in the industry, and cumulative breaches for the firm) are measured as in Study 1. Data breach severity and breach types (financial data, social security number or medical data, hacker attack, and theft of equipment) are also added. Detailed variable definitions are listed in Table 1, and summary statistics in Web Appendix S. The high correlations between the breach-type variables and data breach occurrence (ranging from .52 to approximately .77, due to a dominance of zeros) create collinearity in estimation. To tackle this, we regressed each of these variables on data breach occurrence and other controls and obtained the residual as its final measure. These residuals contain the net additional information of breach types while being independent of data breach incidence (Luo and Homburg 2007).

Model

We test the proposed effects with the following fixed-effects 2SLS regression:

Tobin ' s q t = β 0 + β 1 × Data _ Breach t − 1 + β 2 × Data _ Breach t − 1 × Internal _ CSR t − 1 + α 1 × Data _ Breach t − 1 × High _ Internal _ CSR t − 1 + β 3 × Data _ Breach t − 1 × External _ CSR t − 1 + α 2 × Data _ Breach t − 1 × High _ External _ CSR t − 1 + β 4 × Internal _ CSR t − 1 + β 5 × External _ CSR t − 1 + Σ C φ c × Control c + Σ D γ d × Year _ Indicator d + Σ S ϕ s × Industry _ Indicator s + ε .

(5)

where β₂ (β₃) captures, upon data breach, the mitigation of Internal_CSR (External_CSR) on the negative shocks, and α₁ (α₂) shows the kink effect of High_Internal_CSR (High_External_CSR). Endogeneity concerns exist (i.e., firms’ CSR activity can be endogenously determined), so we adopt the same IV approach as in Studies 1 and 2a. Both IVs show validity. For the relevance test, the Cragg−Donald Wald F-statistic of IVs is over 9,500 for internal CSR and over 10,500 for external CSR (i.e., above 10), and both IVs’ coefficients are highly significant in the first-stage regression. For the exogeneity test, the Sargan statistic of IVs is 2.633 (p = .11) for internal CSR and .796 (p = .37) for external CSR.

Results

Model 1 (Table 5) tests the moderating effect of the aggregate measure of CSR on Tobin's q, differentiating between low and high CSR. Model 2 and Model 3 have similar setups while focusing on internal and external CSR, respectively. Model 4 simultaneously examines the effects of internal and external CSR. Model 4 (the full model) shows that Tobin's q has a negative association with data breach occurrence (β = −1.9207, p < .01), which is moderated by internal CSR. When internal CSR performance is below the industry median, the negative effect of a data breach on Tobin's q is aggravated with the increase in internal CSR performance (β = −.9184, p < .01). However, for above-median internal CSR performance, the aggravation is flipped by a positive effect with a larger magnitude (α = 1.6283, p < .01). In comparison, regardless of the level of performance, external CSR does not moderate the negative relationship between data breach and Tobin's q. Figure 5 plots the marginal effects of CSR on Tobin's q. In conclusion, there is an asymmetric effect of internal CSR's moderation on the negative effect of a data breach on Tobin's q. In support of H_2a and H_2b, internal CSR protects firms’ long-term financial performance at high levels, but external CSR has no parallel effects.

OPEN IN VIEWER

Figure 5.

CSR's Effect after a Data Breach: Long-Term Financial Performance (Tobin's q) (Study 2b).

OPEN IN VIEWER

Table 5.

CSR and Long-Term Performance (Tobin's q) After a Data Breach.

	Overall CSR		Internal CSR		External CSR		Both Internal and External CSR
	Model 1		Model 2		Model 3		Model 4
Base effect
Data breach	−.9409***		−1.8477***		−.9468***		−1.9207***
Interaction effect
Data breach × CSR	−.4897***
Data breach × Internal CSR			−.8926***				−.9184***
Data breach × External CSR					.0644		−.2232
Data breach × High CSR	.0748***
Data breach × High internal CSR			1.6364***				1.6283***
Data breach × High external CSR					.0158		.0543
Moderator
CSR	.1120***
Internal CSR			.1893***				.1815***
External CSR					.0749***		.0460**
Controls
Data breach severity	−.0170		−.0203		−.0084		−.0170
Breach of financial information	−.4323		−.5167		−.5256		−.4808
Breach of social security number or medical information	−.4663		−.2520		−.6128*		−.2476
Breach by hacker	.4152		.8392**		.4895		.7914**
Breach by equipment theft	.4557		.3377		.7003*		.2331
PPE intensity	−1.3222***		−1.2802***		−1.3261***		−1.2963***
Advertising expense	.0384***		.0449***		.0436***		.0409***
R&D expense	.0211		.0302**		.0366***		.0242*
Market-to-book ratio	.0720***		.0719***		.0729***		.0718***
Firm assets	−.4487***		−.4081***		−.4541***		−.4235***
Sales	−.3115***		−.2823***		−.3301***		−.2883***
Litigation risk	−.0230		−.0261		−.0235		−.0234
Growth	2.6138***		2.5771***		2.5911***		2.5784***
Segments	−.3207***		−.3196***		−.3343***		−.3177***
Leverage ratio	1.1566***		1.1553***		1.1271***		1.1681***
Return on assets	4.0219***		3.9715***		4.1078***		3.9734***
Firm age	.3400***		.3995***		.3379***		.3758***
Market concentration	.3589***		.3415***		.3579***		.3451***
Earning variation	1.8610***		1.8920***		1.8721***		1.8734***
Number of analysts	.0532***		.0544***		.0574***		.0533***
Institutional owner	−.0819		−.0779		−.1161**		−.0721
Cash holding	−.0531***		−.0518***		−.0493***		−.0527***
Market size	.0945***		.0904***		.0910***		.0916***
Analysts’ expectation	.1067***		.1033***		.1073***		.1034***
Lag industry data breach	−.0140		−.0129		−.0210		−.0125
Cumulative industry data breach	.0184***		.0167***		.0189***		.0174***
Cumulative firm data breach	−.2600***		−.2401***		−.2607***		−.2494***
Year fixed effects	Yes		Yes		Yes		Yes
Industry fixed effects	Yes		Yes		Yes		Yes
Intercept	4.0953***		3.6224***		4.1427***		3.8090***
Number of observations	18,971		18,971		18,971		18,971
F-value	62.03***		62.68***		60.62***		60.79***
R-square	.2302		.2320		.2261		.2324
Adj. R-square	.2265		.2283		.2224		.2286
First-Stage Regression
Instrumental variable
Lag industry CSR	−.0628**
Lag firm CSR	.7285***
Lag industry internal CSR			−.2335***				−.2335***
Lag firm internal CSR			.7035***				.7035***
Lag industry external CSR					.0788***		.0788***
Lag firm external CSR					.7160***		.7160***
Controls
Control variables	Yes		Yes		Yes		Yes
Year fixed effects	Yes		Yes		Yes		Yes
Industry fixed effects	Yes		Yes		Yes		Yes
R-square	.6690		.6179		.6887		.6179/.6887
Adj. R-square	.6674		.6161		.6872		.6161/.6872

*p < .10. **p < .05. ***p < .01.

Robustness checks

We performed additional robustness tests (Web Appendix T). First, we ran the model with two-way (industry and year) clustered standard errors. The results are consistent, ruling out concerns of potential heteroskedasticity and serial correlation within clusters. Second, we adopted an alternative curvilinear model to study the asymmetric effects of CSR with continuous measures. The results show a consistent pattern. Third, we conducted split data analysis on the subset of low and high (internal or external) CSR, respectively, to validate the differential effect of high versus low CSR. The results are also consistent with the main model.

Posttest

This follow-up study (Posttest 2) examines the shielding effect of CSR after a data breach from the consumer perspective. We investigated whether CSR props up consumer purchase intentions following a data breach. We employed a 2 (CSR type: internal vs. external) × 3 (performance: low vs. medium vs. high) × 2 (data breach: present vs. absent) between-subjects design to project CSR's impact on consumer purchase intention after data breaches (see Web Appendix U for details). The results suggest neither internal nor external CSR protects against diminished purchase intention following a data breach.

Discussion

As theorized, high levels of internal CSR protect against both short- and long-term financial impact when firms are implicated in a data breach. Meanwhile, external CSR provides shielding from financial harm only in the short term, and this shielding attenuates at high CSR levels. Posttest 2 suggests that neither type of CSR investment, internal or external, will mitigate the diminished purchase intentions of consumers following a data breach.

General Discussion

Data breaches are a liability for marketers with considerable impacts on brand credibility, consumer trust, supplier relationships, and other marketing investments. In Study 1, using data spanning 14 years and containing over 20,000 observations, we examine the impact of different kinds of CSR on the incidence of data breaches. The results (Table 6) show that CSR that is peripheral to a firm and aimed at secondary stakeholders does not protect the firm. At the same time, both moderate and high levels of internal CSR, intended to address the viewpoints of primary stakeholders like customers and employees, decrease data breaches. Posttest 1.1 suggests this effect is attributable to reducing data breaches by company outsiders as well as employees, who are motivated in part by their perspectives on senior management (Posttest 1.2). These results together point to the importance of genuine commitments to CSR, not the type of external, image-focused CSR that consumers believe will diminish data breaches (Posttest 1.3) but that likely has no actual effect on intrusion behavior (Study 1).

OPEN IN VIEWER

Table 6.

Summary of Results.

Context	Study	Focus	Method	Main Finding	Hypothesis	Support
Preventing data breaches	1	Data breach occurrence	Econometric analysis	Internal CSR reduces data breach likelihood but plateaus for high internal CSR (no additional effect over average CSR). External CSR does not curb data breaches.	H1aH1b	YesYes
	Posttest 1.1	Breach type	Econometric analysis	Internal CSR reduces data breach likelihood by both internal and external actors, whereas external CSR does not affect the likelihood of data breach from either type of actor.	H1aH1b	YesYes
	Posttest 1.2	Employee reactions	Econometric analysis	The effect of CSR on data breaches is mediated by employee factors (positive word of mouth of the employer, approval of CEO, ratings of senior management).	—	—
	Posttest 1.3	Consumer perceptions	Experiment	Consumers perceive that internal and external CSR will operate similarly in reducing data breach likelihood.	—	—
Recovering from data breaches	2a	Short-term firm value (CAR)	Event study	Only high levels of internal CSR protect CAR when a data breach occurs. External CSR protects CAR but with a diminishing effect at a high level.	H2aH2b	NoYes
	2b	Long-term firm value (Tobin's q)	Econometric analysis	High internal CSR performance offers protection for Tobin's q upon data breach. External CSR provides no protection at any level.	H2aH2b	YesYes
	Posttest 2	Consumer purchase intentions	Experiment	Neither internal nor external CSR is believed by consumers to protect the firm (i.e., attenuate diminished purchase intentions following a data breach).	—	—

While Study 2 is more optimistic regarding the effects of external CSR (i.e., there is a positive effect on short-term stock market performance), the overarching implication is that a better contingency plan to recover from a data breach is to invest heavily in internal CSR, prioritizing accountable leadership, customer satisfaction, and employee engagement, for example. As in Study 1, listening to consumers on this issue may lead firms astray: the implication of their feedback (Posttest 2) is that no form of CSR investment will help firms recover from a data breach, but this view is at odds with the Study 2 results.

Our article addresses a research priority: how to mitigate adverse consequences of data security–related issues (e.g., American Marketing Association 2022; Quach et al. 2022). We suggest that the corporatewide strategic variable of CSR offers an effective approach to preventing and better recovering from data breaches. It has been previously proposed that CSR may help prevent data breaches (D’Arcy et al. 2020) and operate like an insurance policy against adverse events such as safety or health crises (Godfrey, Merrill, and Hansen 2009). From this foundation, we extend into more novel territory by demonstrating that CSR offers a unifying framework to simultaneously reduce the likelihood of data breaches and shield firms from their negative financial consequences in both the short and long term.

In reflection on CSR's multidimensional nature (Hawn and Ioannou 2016), we also avoid relying on a global measure of CSR, recognizing that differences predicted by stakeholder theory logically advocate for distinguishing between CSR actions aimed at primary versus secondary stakeholders. This distinction reflects actions that are sizable in their level of tangibility and credibility. Internal CSR represents costly and credible investments aimed at core business operations, whereas external CSR may more easily be interpreted as image-mongering or window-dressing. As our Study 1 results suggest, examining only a global measure of CSR performance will mistakenly conclude that CSR investments of any kind provide protective qualities, whereas positive effects are truly driven by internal CSR alone. We also provide what is, to the best of our knowledge, the first empirical validation of these internal and external CSR categories by demonstrating in several pretests that both managers and consumers think about CSR according to this distinction.

In fact, CSR is a multifaceted, corporate-level strategy with varying effects. Unlike traditional critiques that portray CSR as a warm glow (Habel et al. 2016) or a superficial marketing tactic focused on image-building (Wu, Zhang, and Xie 2020), we highlight the efficacy of CSR aimed at primary stakeholders to tackle the hugely consequential challenge of data breaches. Our results confirm that “warm-glow” CSR aimed at secondary stakeholders is minimally effective in managing data breaches: it offers no protection in preventing data breaches and only weak benefits following a breach.

At the same time, it is important to acknowledge that some firms seem to be deeply committed to external CSR activities. For example, some invest in costly environmentally friendly manufacturing to improve efficiency by reducing pollution and waste (see Lankoski 2009). Companies like Microsoft, Intel, IBM, and General Mills appear to be making real commitments to sustainability practices (e.g., George 2019). An extreme example of alignment between core business practices and commitment to external CSR is Patagonia, which in 2022 transferred ownership of the company to a nonprofit with an environmental mission. In other domains such as human rights and diversity, firms like Starbucks and PayPal are touted as having robust track records (Human Rights Campaign 2022). But overall there appears to be considerable variability amid evidence that many companies are undertaking mainly puffery and other public relations exercises without making fundamental changes. Recent evidence suggests greenwashing is “more virulent than ever” (Montgomery, Lyon, and Barg 2023, p. 1) and may be increasing (Reuters 2023) as companies such as ExxonMobil, Kohl’s, Walmart, and Shell use tactics like astroturfing, green labeling, and gaslighting to deceive consumers (Kirts 2023; Milman 2022). In other domains, while firms loudly celebrate their commitment to diversity and human rights, their efforts often misrepresent their business practices. For example, companies “woke-wash” (Dowell and Jackson 2020) by helping “elect candidates they hope will do their industry's bidding or support a specific cause, even as they publicly advocate for the opposite stance” (Lund and Strine 2022, p. 133). Company insiders are wise to this view as well: the results of a recent survey of 1,500 business executives reported in the Wall Street Journal showed that most think greenwashing is widespread in their industry and that “many companies are cutting corners on their environmental, social and corporate governance initiatives” (Toplensky 2023). In short, some of the companies most visibly associated with commitments to external CSR are hypocrites (Cauterucci 2023), and we appear to be witnessing a schism: although some companies are making genuine investments in sustainability and other external CSR initiatives, the activities of many others can most accurately be described as myth-making.

Our results appear to have misaligned elements as far as developing managerial implications: modest investments in internal CSR are adequate to ward off data breaches (Study 1), but when a breach occurs, only high levels of internal CSR offer a sufficiently robust response to curtail penalties in stock price (Study 2). Does this imply that investing in higher internal CSR is a dominant strategy? We do not think so, and we advocate for a more nuanced approach.

First, we gain insight from contemplating the details in our results. Our data set tracks a large number of firms and breaches across industries and over a long time period, so they are likely to support somewhat generalizable heuristics about CSR spending. The results (Table 2) reveal that larger firms (Table 2, Model 4: β_Assets = .2824, p < .01; β_Sales = .5133, p < .01) are more likely to be breached, as are firms receiving a lot of media coverage (β_Analysts = .0349, p < .01). Firms matching this profile should assume that bad actors are enthusiastically targeting them and should not rely on moderate CSR spending to demotivate potential intruders. Such firms should prepare for the worst by investing heavily in internal CSR. This idea is consistent with practitioner analyses showing that as firms get larger, they are more likely to be attacked and suffer if breached (IBM 2022). For example, the average employee in a small finance firm has access to about 12,550 sensitive files, but the comparable number in a large finance firm is 55,000 (Varonis 2021). It is easy to see how the downside in large organizations is worse, given that a single bad actor has the structural potential to cause over four times as much harm as in a small firm.

Second, other information is available to help firms evaluate their risk. Certain industries experience few attempted or actual breaches (e.g., agriculture, construction, real estate, mining), and the costs of a breach are lower (e.g., media, retail, hospitality; IBM 2022; Statista 2022). With such firms, modest internal CSR spending is likely a viable strategy. Conversely, other industries are more attractive (e.g., finance, professional services, information technology; Verizon 2020), and associated firms incur enormous costs if breached (e.g., finance, health care, and pharmaceuticals; IBM 2022), in part due to the types of information in their possession. For example, breaches involving financial data, social security numbers, and medical information are associated with immense penalties, much of it through litigation or settlements with victims (Romanosky, Hoffman, and Acquisti 2014). Firms operating in such industries or managing this type of data are likely to be targeted by highly motivated actors and to suffer a serious financial downside if breached, meaning they should elevate internal CSR investments.

Other firm characteristics matter too. Many data breaches occur through compromised supply chains (IBM 2022), meaning that firms that are not vertically integrated may need to invest relatively more in CSR. Another risk factor is the proportion of a firm's employees who work remotely (IBM 2022). One reason that internal CSR works is that it encourages a corporate culture that emphasizes stakeholder interests in strategic decisions and daily operations (Hoi, Wu, and Zhang 2013). This is, in essence, a CSR-integrated culture that emphasizes people over profit (Chapman 2019) and promotes engaged, ethical employees. We speculate that it may be more challenging to build such a culture in the context of a dispersed workforce (KPMG 2022, p. 28), suggesting that higher CSR expenditures may be merited in such cases.

There are also interesting geographic differences; for example, in Latin America, breaches are nearly exclusively (93%) perpetrated by external actors, whereas in North America, the number is lower (66%; see Verizon 2020). A complete accounting of these risk factors is beyond what we can achieve here (e.g., more senior managers with relatively few LinkedIn connections are more likely to be targeted; Thonnard et al. 2015), but the main conclusion is that if a firm occupies a relatively lower-risk position, then moderate CSR expenditures are called for, but if the risk of being breached rises, so too should internal CSR spending. Relatedly, it is desirable for practitioners to think of data security as a component of CSR (Olcott 2020). Contemporary data breach research focuses on antecedents and crisis response strategies (Gwebu, Wang, and Wang 2018; McLeod and Dolezel 2018), while our results emphasize the view that CSR can create long-term shareholder value (Bhattacharya and Sen 2003). If data security were thought of as a component of CSR alongside product quality, employee satisfaction, and other key internal aspects, it would become better integrated into firms’ core activities and contribute to the type of transparent, accountable culture valued by CSR advocates while reducing concerns about data security.

Limitations and Future Research

We are aware of only one other article explicitly linking CSR and data breaches (D’Arcy et al. 2020), which shows that firms with high levels of peripheral CSR (“e.g., community relations, philanthropy”; p. 1208), especially in the context of concerns with their CSR activities generally, are associated with more data breaches. This contrasts with our Study 1 results that show that external CSR, which includes these two factors, has no effect on data breaches. They also find no effect of what they call “embedded” CSR on reducing data breaches, whereas we find a protective effect for internal CSR. Several reasons might explain the different pattern of results. First, because our analysis includes more time-variant information (we employ 19 control variables with different values for each data year, whereas D’Arcy et al. use time-invariant firm-fixed effects with 6 control variables) and covers all firms (i.e., unlike their final data set of just firms that had a data breach during the study span, an outcome of their applying firm-level fixed effects logistic regression), our approach minimizes selection bias. Second, our data set is larger and more current (approximately 20,000 firm-year observations from 2005 to 2018 vs. less than 2,000 from 2005 to 2010), and because our approach is cross-sectional and longitudinal, it accounts for more industry-level variation and potential trends. Third, their measure of peripheral CSR only assesses community and environment, and they integrate the remaining five CSR dimensions into a single category. However, if the five factors operate in different ways, a view consistent with prior research (Godfrey, Merrill, and Hansen 2009; Luo et al. 2015), then their null effect could be explained by these factors suppressing each other. Future research may investigate and shed light on whether these contrasting results can be accounted for by their different empirical approaches.

A limitation of our article is that it pertains to U.S. publicly traded companies. International markets may operate differently (e.g., U.S. firms seem to be inflicted with data breaches involving more internal actors; KPMG 2022). As well, private companies are often more secretive and less bound by public sentiment (e.g., reputation building for the sake of managing stock market expectations is not relevant), meaning it is not clear to what extent CSR activities would provide a protective layer in the event of a data breach. Private companies may benefit from CSR in different ways than public companies (Chi, Wu, and Zheng 2020), an issue that merits exploration.

Our article also does not include process measures. Our only evidence of process emerges from Posttest 1.2, in which, using Glassdoor data, we show that employee satisfaction and morale are important factors in explaining data breaches. ⁴ However, we also develop a series of arguments that are not directly assessed with data. For example, based on previous research, we argued that differences in motivations by potential bad actors likely explain differences in the incidence of data breaches. Future research might verify this explanation with process evidence. Likewise, Study 2 examines the effect of CSR on stock market performance, but it would be helpful to examine intermediate variables such as price increases, promotional activity, consumer-based brand equity, or other factors that might provide insight into specific marketing mechanisms. Exploring moderators would also be helpful. For example, prior research shows that severity (i.e., the number of customer records compromised in a data breach) matters such that stock markets react more negatively to larger breaches (Martin, Borah, and Palmatier 2017). Research should extend into new moderators so as to better appreciate context and boundary effects.

Conclusion

Prior research suggests that CSR may help protect brands and firms in the context of product-harm crises (e.g., Klein and Dawar 2004), product recalls (e.g., Noack, Miller, and Smith 2019), service failures (e.g., Bolton and Mattila 2015), and brand transgressions (e.g., Tsarenko and Tojib 2015). Most of this research deals with serious episodes that emerge from within firms as a result of their own decisions. Our research adds to this list by demonstrating that CSR can help firms prevent and recover from data breaches, including those that result from employee intransigence and those that originate from external bad actors, leading firms to perform better in the short and long term. Additional investigation into the effects of CSR on various adverse events is warranted.

Supplemental Material

sj-pdf-1-mrj-10.1177_00222437231218969 - Supplemental material for A Preemptive and Curative Solution to Mitigate Data Breaches: Corporate Social Responsibility as a Double Layer of Protection

Supplemental material, sj-pdf-1-mrj-10.1177_00222437231218969 for A Preemptive and Curative Solution to Mitigate Data Breaches: Corporate Social Responsibility as a Double Layer of Protection by John JianJun Zhu, Ling Tuo, Yanfen You, Qiang Fei and Matthew Thomson in Journal of Marketing Research