{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,17]],"date-time":"2026-01-17T04:11:54Z","timestamp":1768623114447,"version":"3.49.0"},"reference-count":46,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2022,9,7]],"date-time":"2022-09-07T00:00:00Z","timestamp":1662508800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2023,2,9]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to investigate the impact of the General Data Protection Regulation (GDPR) infringement fine announcements on the market value of mostly European publicly listed companies with a view to reinforcing the importance of data privacy compliance, thereby informing cyber security investment strategies for organisations.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Previous studies have shown (varying degrees of) evidence of a negative impact of data breach announcements on the share price of publicly listed companies. Following on from this research, further studies have been carried out in assessing the economic impact of the introduction of legislation in this area to encourage firms to invest in cyber security and protect the privacy of data subjects. Existing research has been predominantly US centric.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Using event study techniques, a data set of 25 GDPR fine announcement events was analysed, and statistically significant cumulative abnormal returns of around 1% on average up to three days after the event were identified. In almost all cases, this negative economic impact on market value far outweighed the monetary value of the fine itself, and relatively minor fines could result in major market valuation losses for companies, even those having large market capitalisations.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This research would be of benefit to business management, practitioners of cyber security, investors and shareholders as well as researchers in cyber security or related fields (pointers to future research are given). Data protection authorities may also find this work of interest.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-03-2022-0049","type":"journal-article","created":{"date-parts":[[2022,9,6]],"date-time":"2022-09-06T08:34:34Z","timestamp":1662453274000},"page":"51-64","source":"Crossref","is-referenced-by-count":5,"title":["The impact of GDPR infringement fines on the market value of firms"],"prefix":"10.1108","volume":"31","author":[{"given":"Adrian","family":"Ford","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ameer","family":"Al-Nemrat","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Seyed Ali","family":"Ghorashi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Julia","family":"Davidson","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","published-online":{"date-parts":[[2022,9,7]]},"reference":[{"issue":"3","key":"key2023020816260240900_ref001","first-page":"482","article-title":"COVID-19 outbreak and sectoral performance of the Australian stock market: an event study analysis","volume":"60","year":"2020","journal-title":"Australian Economic Papers"},{"key":"key2023020816260240900_ref002","doi-asserted-by":"crossref","first-page":"102451","DOI":"10.1016\/j.cose.2021.102451","article-title":"Stock market reactions to favorable and unfavorable information security events: a systematic literature review","volume":"110","year":"2021","journal-title":"Computers and Security"},{"issue":"1","key":"key2023020816260240900_ref003","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1109\/MSP.2010.37","article-title":"How internet security breaches harm market value","volume":"8","year":"2010","journal-title":"IEEE Security and Privacy Magazine"},{"key":"key2023020816260240900_ref004","unstructured":"BBC (2013), \u201cSony fined over 'preventable' PlayStation data hack\u201d, available at: www.bbc.co.uk\/news\/technology-21160818 (accessed 30 March 2021)."},{"key":"key2023020816260240900_ref005","unstructured":"BBC (2016), \u201cTalkTalk fined \u00a3400,000 for theft of customer details\u201d, available at: www.bbc.co.uk\/news\/business-37565367 (accessed 26 April 2021)."},{"issue":"3","key":"key2023020816260240900_ref006","doi-asserted-by":"crossref","first-page":"431","DOI":"10.3233\/JCS-2003-11308","article-title":"The economic cost of publicly announced information security breaches: empirical evidence from the stock market","volume":"11","year":"2003","journal-title":"Journal of Computer Security"},{"issue":"3","key":"key2023020816260240900_ref007","first-page":"93","article-title":"An analysis of the impact of Wannacry cyberattack on cybersecurity stock returns","volume":"13","year":"2018","journal-title":"Review of Economics and Finance"},{"issue":"1","key":"key2023020816260240900_ref008","first-page":"69","article-title":"The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers","volume":"9","year":"2004","journal-title":"International Journal of Electronic Commerce"},{"key":"key2023020816260240900_ref009","unstructured":"CMS Legal (2021), \u201cGDPR enforcement tracker\u201d, available at: www.enforcementtracker.com\/ (accessed 26 May 2021)."},{"issue":"3","key":"key2023020816260240900_ref010","doi-asserted-by":"crossref","first-page":"477","DOI":"10.1016\/j.clsr.2018.01.005","article-title":"The introduction of data breach notification legislation in Australia: a comparative view","volume":"34","year":"2018","journal-title":"Computer Law and Security Review"},{"key":"key2023020816260240900_ref011","unstructured":"Data Protection Act (1998), available at: www.legislation.gov.uk\/ukpga\/1998\/29\/contents (accessed 30 April 2021)."},{"key":"key2023020816260240900_ref012","unstructured":"Data Protection Act (2018), available at: www.legislation.gov.uk\/ukpga\/2018\/12\/contents\/enacted (accessed 10 March 2019)."},{"key":"key2023020816260240900_ref013","unstructured":"Data Protection Directive (1995), available at: https:\/\/eur-lex.europa.eu\/LexUriServ\/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (accessed 30 April 2021)."},{"issue":"3","key":"key2023020816260240900_ref014","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1007\/s10799-018-00297-3","article-title":"The effect of information security certification announcements on the market value of the firm","volume":"20","year":"2019","journal-title":"Information Technology and Management"},{"key":"key2023020816260240900_ref015","doi-asserted-by":"crossref","first-page":"1","DOI":"10.2307\/2490855","article-title":"A comparison of event study methodologies using daily stock returns: a simulation approach","volume":"22","year":"1984","journal-title":"Journal of Accounting Research"},{"key":"key2023020816260240900_ref016","unstructured":"ENISA (2020), \u201cETL2020 the year in review\u201d, available at: www.enisa.europa.eu\/publications\/year-in-review"},{"key":"key2023020816260240900_ref017","unstructured":"European Commission (2021), \u201cProposal for an ePrivacy regulation\u201d, available at: https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/eprivacy-regulation"},{"key":"key2023020816260240900_ref018","unstructured":"European Convention on Human Rights (1950), available at: www.coe.int\/en\/web\/conventions\/full-list\/-\/conventions\/treaty\/005 (accessed 30 April 2021)."},{"issue":"2","key":"key2023020816260240900_ref019","first-page":"383","article-title":"Efficient capital markets: a review of theory and empirical work","volume":"25","year":"1970","journal-title":"The Journal of Finance"},{"key":"key2023020816260240900_ref020","doi-asserted-by":"publisher","article-title":"The impact of GDPR infringement fines on the market value of firms","year":"2021","DOI":"10.34190\/EWS.21.088"},{"key":"key2023020816260240900_ref021","article-title":"The impact of data breach announcements on company value in European markets","year":"2021"},{"issue":"1","key":"key2023020816260240900_ref022","doi-asserted-by":"publisher","first-page":"22","DOI":"10.1201\/1086\/43325.12.1.20030301\/41478.5","article-title":"The financial impact of IT security breaches: what do investors think?","volume":"12","year":"2003","journal-title":"Information Systems Security"},{"issue":"7","key":"key2023020816260240900_ref023","doi-asserted-by":"crossref","first-page":"404","DOI":"10.1016\/j.im.2009.06.005","article-title":"Estimating the market impact of security breach announcements on firm values","volume":"46","year":"2009","journal-title":"Information and Management"},{"key":"key2023020816260240900_ref024","first-page":"37","article-title":"The impact of federal and state notification laws on security breach announcements","volume":"34","year":"2014","journal-title":"Communications of the Association for Information Systems"},{"issue":"10","key":"key2023020816260240900_ref025","doi-asserted-by":"crossref","first-page":"2198","DOI":"10.1080\/1540496X.2020.1785865","article-title":"COVID-19\u2019s impact on stock prices across different sectors \u2013 an event study based on the Chinese stock market","volume":"56","year":"2020","journal-title":"Emerging Markets Finance and Trade"},{"issue":"3","key":"key2023020816260240900_ref026","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1016\/j.im.2014.12.006","article-title":"The influence of data theft on the share prices and systematic risk of consumer electronics companies","volume":"52","year":"2015","journal-title":"Information and Management"},{"issue":"5","key":"key2023020816260240900_ref027","doi-asserted-by":"crossref","first-page":"681","DOI":"10.1016\/j.im.2018.11.003","article-title":"Information security breaches and IT security investments: impacts on competitors","volume":"56","year":"2019","journal-title":"Information and Management"},{"issue":"1","key":"key2023020816260240900_ref028","doi-asserted-by":"crossref","first-page":"69","DOI":"10.2753\/JEC1086-4415120103","article-title":"Market reactions to information security breach announcements: an empirical analysis","volume":"12","year":"2007","journal-title":"International Journal of Electronic Commerce"},{"key":"key2023020816260240900_ref029","doi-asserted-by":"crossref","first-page":"100527","DOI":"10.1016\/j.finmar.2019.100527","article-title":"Insider trading ahead of cyber breach announcements","volume":"50","year":"2020","journal-title":"Journal of Financial Markets"},{"issue":"1","key":"key2023020816260240900_ref030","article-title":"Event studies in economics and finance","volume":"35","year":"1997","journal-title":"Journal of Economic Literature"},{"key":"key2023020816260240900_ref031","unstructured":"Macfarlanes (2020), available at: www.macfarlanes.com\/what-we-think\/in-depth\/2020\/lessons-from-the-ico-s-decisions-to-reduce-the-ba-and-marriott-gdpr-fines\/ (accessed 26 February 2021)."},{"issue":"1","key":"key2023020816260240900_ref032","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1016\/j.jom.2014.10.003","article-title":"Shareholder value implications of service failures in triads: the case of customer information security breaches","volume":"35","year":"2015","journal-title":"Journal of Operations Management"},{"key":"key2023020816260240900_ref033","article-title":"Do data breach disclosure laws increase firms\u2019 investment in securing their digital infrastructure?","author":"Murciano-Goroff","year":"2019"},{"issue":"6","key":"key2023020816260240900_ref034","doi-asserted-by":"crossref","first-page":"1232","DOI":"10.1016\/j.clsr.2018.05.026","article-title":"An analysis of the effectiveness of the EU data breach notification obligation","volume":"34","year":"2018","journal-title":"Computer Law and Security Review"},{"key":"key2023020816260240900_ref035","unstructured":"Privacy and Electronic Communications Directive (2002), available at: https:\/\/eur-lex.europa.eu\/legal-content\/EN\/ALL\/?uri=CELEX%3A32002L0058 (accessed 30 April 2021)."},{"key":"key2023020816260240900_ref036","unstructured":"R Core Team (2018), \u201cR: a language and environment for statistical computing\u201d, R Foundation for Statistical Computing, Vienna, available at: www.R-project.org\/"},{"key":"key2023020816260240900_ref037","doi-asserted-by":"crossref","first-page":"92","DOI":"10.1016\/j.econmod.2019.07.010","article-title":"Limited attention, salience of information and stock market activity","volume":"87","year":"2020","journal-title":"Economic Modelling"},{"issue":"3","key":"key2023020816260240900_ref038","doi-asserted-by":"crossref","first-page":"227","DOI":"10.2308\/isys-52379","article-title":"Much ado about nothing: the (lack of) economic impact of data privacy breaches","volume":"33","year":"2019","journal-title":"Journal of Information Systems"},{"issue":"2","key":"key2023020816260240900_ref039","doi-asserted-by":"crossref","first-page":"256","DOI":"10.1002\/pam.20567","article-title":"Do data breach disclosure laws reduce identity theft?","volume":"30","year":"2011","journal-title":"Journal of Policy Analysis and Management"},{"key":"key2023020816260240900_ref040","doi-asserted-by":"crossref","first-page":"458","DOI":"10.1016\/j.ribaf.2018.09.007","article-title":"Social media and stock price reaction to data breach announcements: evidence from US listed companies","volume":"47","year":"2019","journal-title":"Research in International Business and Finance"},{"issue":"1","key":"key2023020816260240900_ref041","doi-asserted-by":"crossref","first-page":"73","DOI":"10.1108\/ICS-03-2014-0020","article-title":"The impact of repeated data breach events on organisations\u2019 market value","volume":"24","year":"2016","journal-title":"Information and Computer Security"},{"key":"key2023020816260240900_ref042","unstructured":"Schimmer, M., Levchenko, A. and M\u00fcller, S. (2014), \u201cEventStudyTools (research apps), St.Gallen\u201d, available at: www.eventstudytools.com (accessed 26 February 2021)."},{"key":"key2023020816260240900_ref043","doi-asserted-by":"crossref","first-page":"216","DOI":"10.1016\/j.cose.2015.12.006","article-title":"The impact of information security events to the stock market: a systematic literature review","volume":"58","year":"2016","journal-title":"Computers and Security"},{"issue":"5","key":"key2023020816260240900_ref044","doi-asserted-by":"crossref","first-page":"637","DOI":"10.1108\/ICS-05-2018-0060","article-title":"Impact of cyberattacks on stock performance: a comparative study","volume":"26","year":"2018","journal-title":"Information and Computer Security"},{"key":"key2023020816260240900_ref045","unstructured":"Yahoo!Finance (2019), \u201cHistorical data\u201d, available at: https:\/\/finance.yahoo.com\/quote"},{"issue":"1","key":"key2023020816260240900_ref046","doi-asserted-by":"crossref","first-page":"60","DOI":"10.1057\/jit.2010.4","article-title":"The impact of information security events on the stock value of firms: the effect of contingency factors","volume":"26","year":"2011","journal-title":"Journal of Information Technology"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2022-0049\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2022-0049\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:48Z","timestamp":1753406568000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/31\/1\/51-64\/103614"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,9,7]]},"references-count":46,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2022,9,7]]},"published-print":{"date-parts":[[2023,2,9]]}},"alternative-id":["10.1108\/ICS-03-2022-0049"],"URL":"https:\/\/doi.org\/10.1108\/ics-03-2022-0049","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,9,7]]}}}