Since 2018, data protection laws have reduced the number of security breaches but have impacted the value of companies.

According to a new study by the University of East Anglia (UEA) and the University of Texas, the introduction of new data protection regulations has significantly reduced the number of breaches by companies, but has had a negative impact on their market value.

Researchers examined what happened when the European Union’s General Data Protection Regulation (GDPR) came into force in 2018. Taking advantage of its extraterritorial reach, the authors examine how differently U.S. companies encountered the EU GDPR to see how stricter data protection laws affected their value, investment decisions and data breaches.

They found that companies that had to comply with GDPR saw their market value drop by 0.6 to 1.1 percent in the week the regulation went into effect—or from $42 billion to $76 billion overall. This was partly because stricter privacy and data security laws slowed companies’ revenue growth.

However, these companies invested more money in data protection than those not affected by GDPR and had fewer data breaches. This reduction was significant, preventing up to 34 million records from being leaked each year, which would have cost companies between $205 million and $561 million per year.

The results are published in Journal of Corporate Finance and AccountingCo-author Dr Fabio Motoki, Senior Lecturer in Accounting at UEA’s Norwich Business School, said: “Overall, this study highlights the key costs and benefits of stronger data protection laws and provides useful information for businesses and regulators around the world.

“These results suggest that the GDPR may have achieved one of its intended goals of improving consumer data protection and privacy. This appears to be the first study to document the potential benefits associated with recent efforts to regulate these areas.

“Specifically, we found that U.S. companies subject to GDPR were less likely to report a data breach after the regulation came into force. The lower likelihood of data breaches appears to be due to a reduction in data breaches related to hacking and malware, which may be due to increased investment in cybersecurity. This increased investment may be due to the increased attention of a more specialized body monitoring cybersecurity risks in U.S. companies as a result of GDPR.”

The EU adopted the GDPR to address growing concerns about data privacy and security. It came into force on May 25, 2018, and requires greater transparency in how companies collect consumer data, requiring clear consent for collection, imposing stricter data management and controls, and imposing significant penalties and liability risks for violations of data processing or data flow. As such, it was believed that the regulation would likely impose high compliance costs on companies.

The GDPR requires any company that controls or processes data of EU citizens to follow the rules, regardless of their location. Therefore, companies around the world, including the US, may be subject to the GDPR if they process personal data of EU citizens.

Numerous US states and other countries such as Brazil, China and Canada have now passed laws such as the GDPR or are currently discussing them. This underlines the importance of examining the consequences of this regulation outside the EU as well.

Dr. Motoki and co-author Jedson Pinto, assistant professor of accounting at the University of Texas, analyzed how GDPR affected the stock prices of a sample of 1,013 U.S. companies the week the regulations went into effect, comparing those that were affected with those that were not.

The control group of companies that do not face risks associated with GDPR are those in healthcare, banking or insurance, as they are already subject to stricter data protection laws. The industries most affected by GDPR range from business services and utilities to pharmaceuticals and shipping containers.

According to the researchers, the decline in companies’ value is consistent with investors’ expectations that stricter data protection laws will have a significant negative impact on companies’ future cash flow.

They also find that companies subject to the GDPR statistically have slower revenue growth than companies not subject to the GDPR. For affected companies, revenues grew 5.8 to 6.6 percentage points slower after the law came into force than for controlled companies.

The lower likelihood of data breaches meant 10 fewer data breaches per year. In 2023, the cost per record for a medium-sized data breach (up to 101,200 records) was estimated to be about $165 per record, with large data breaches having a lower cost per record but a higher total economic cost.

Dr Pinto said: “Our findings add to the growing body of literature documenting the costs of GDPR, such as a decline in venture capital investment in the EU, particularly when the companies and the lead investors are not located in the same state or Union.”

“They suggest that the GDPR may have changed the market’s perception of these breaches, which may also change executives’ incentives to protect customer data. These findings are consistent with the assumption that regulation provides an alternative way to address recent privacy and security concerns and should be of interest to regulators around the world who have enacted or are considering enacting laws similar to the EU GDPR.”

Dr. Motoki and Dr. Pinto also examined whether the GDPR affected investors’ reaction to the disclosure of a data breach, using information from 62 breaches during the study period. They found that under the GDPR, investors may react more negatively to a data breach for companies with more stringent data protection requirements.

The economic impact is significant: a data theft can lead to a share price decline of up to 5.3 percent in the five days after the breach is announced compared to companies that are not subject to the regulations. These results are consistent with the assumption that investors expect significant litigation costs related to fines in the event of a data theft.