New research in INFORMS magazine Public Administration notes that companies that have experienced data breaches deliberately time such announcements around other important news to reduce media coverage and minimize public attention.

“We estimate that strategic timing reduces the median decline in market cap loss from a data breach, from $347 million to $85 million,” said Sebastian Schuetz of Florida International University.

The study, conducted by Schuetz and Jens Foerderer of the Technical University of Munich, finds that this strategy hurts consumers because the stock markets do not adequately “punish” companies for their misbehavior.

The work appears to show that strategic timing is most prevalent in data breaches of paramount concern to consumers, such as more serious breaches involving health data, financial records, and credentials.

“Based on our findings, we recommend that lawmakers impose shorter disclosure deadlines, from the current 30-day deadline to just three days,” Foerderer said. “Strategic timing is detrimental to consumers because it undermines the effectiveness of current US data breach laws. As consumers and investors receive less information about the occurrence of a data breach, fewer changes are promoted by companies to protect consumers from future security vulnerabilities.”

