Recently, hardly does a month go by without us hearing breaking news on high-profile data breaches. For example, earlier this year, the social media giant Facebook revealed that over 419 million users had their account-linked phone numbers exposed due to an unencrypted server. Anyone who is interested can potentially search for a particular Facebook ID and its associated phone number, including those of famous public figures. When such breach happens, firms suffer significantly in their reputation and business. On average, each data breach costs a firm $8.2 million in the United States and £2.7 million in the UK.

In response to these events, the US Securities and Exchange Commission (SEC) held a roundtable meeting in 2014 and later released official guidance calling for public firms to take necessary actions to inform investors about data breach risks and consequences in 2018. Similarly, the EU’s General Data Protection Regulation mandates that firms handling personal data must put appropriate measures in place or will be financially penalised up to £20 million. Consequently, firms’ IT leadership – the chief information officers (CIO) – are often in the spotlight, facing direct pressure from the board, the stakeholders and the public. Although anecdotal evidence appears to show that CIOs were fired following breach incidents (such as the examples of Equifax’s CIO and Target’s CIO), empirical research on this topic is lacking and our study aims to fill the gap.

The board of a firm provides important governance by overseeing top management within the firm. They set the performance goals for the executives, assess whether performance expectations are met and determine appropriate rewards and penalties. The research on top executives suggests that managers tend to turn over when they fail to meet performance expectations. Therefore, it is reasonable to expect that CIOs will be held accountable if they do not meet their performance expectations as signalled by breach incidents. However, it is important to note that different reasons can cause data breaches. Some may be easily traced back to CIOs’ direct responsibilities, whereas some may not.

In our study, to illuminate the varying causes of a breach, we follow a recent study by Ponemon Institute and categorise breaches into (1) system deficiencies, (2) criminal frauds, and (3) human errors. System deficiencies involve breaches caused by both IT process failures and malicious attacks. IT process failures are often caused by a poorly designed IT system. For example, in 2011 Bank of America’s website glitch exposed customer account data to other customer(s) with the same last name. Malicious hacks can occur if the firm’s IT system is not properly patched and updated. One such example is Heartland Payment Systems, whose point-of-sale system was compromised by malware in 2012, thus exposing its customers’ debit and credit card information.

Criminal attacks refer to non-system-related breaches due to fraud committed by employees, contractors or other third parties. For instance, in 2010 a MetLife employee with legal access to disability insurance applications data illegally sold the confidential information to an unauthorised individual.

Human errors include breaches due to carelessness, negligence or mistakes. One example is an employee of Symantec Corporation who lost a work laptop containing employee social security numbers, names, and addresses while working remotely in 2008. Since CIOs are more directly responsible for designing an IT system that can properly support business processes and reduce vulnerabilities to hacks, we expect the board to be sensitive to system-deficiency-caused breaches and consider these events as a failure of CIOs in meeting their performance expectation that results in the termination of the CIO’s appointment. By contrast, because the other two types of breaches are caused by factors not fully controllable by CIOs, we expect the board to be less likely to terminate the CIO’s appointment in such cases.

Our sample firms are from InformationWeek’s 500 annual lists from 2008 to 2016. We identify a firm’s CIOs as the highest-ranking IT officer in the firm. We manually identify CIO turnover by both observing the CIO’s name change for each firm from one year to the next and verifying using public sources including Bloomberg Businessweek and corporate websites. To ensure these are forced turnovers, we exclude turnovers due to retirement, mergers and acquisitions, promotion, and decease. After merging with other data sources (Compustat, Execucomp, ISS, and Audit Analytics) for multivariate regressions, our final sample consists of 348 unique firms.

Our main empirical results document that system-deficiency-caused breaches are associated with a higher likelihood of CIO turnover; however, we do not observe such impact on CIO turnover for criminal-fraud or human-error-caused breaches. In addition to a battery of additional analyses, we also examine whether CEOs and CFOs are also under scrutiny during such breach events. We find that besides system deficiencies, CEOs are also fired for human-error-caused breaches. This is consistent with CEOs’ broader role in the firm including setting up effective internal controls to prevent human errors. Nevertheless, we do not find CFOs experience turnover in any cases of breach because their main focus is on financial reporting rather than IT. These results collectively corroborate the notion that managers take the blame and suffer negative consequences for duties under their direct control.

Our study highlights that the board recognises the costly adverse consequences of data breaches on their organisation, including the hefty loss of reputation, sales and market value. As a result, the board employs a “disassociation” strategy by terminating executives who are relevant to these breach incidents to separate themselves from the “bad influences.” However, firing an executive may only be a symbolic effort to please stakeholders and investors if no changes are made to prevent similar breaches from happening in the future. Also, unnecessary risks and uncertainties can be introduced by frequent change in the top management. We urge firms to enact real, not symbolic, actions to remedy the flaws in management, improve IT security and implement effective internal controls so that data breaches do not occur.

♣♣♣

Notes:


Rajiv Banker received his doctorate degree in business administration from Harvard University. Dr. Banker is one of the most highly cited scholars in accounting, management and economics worldwide. He is recognised by the Institute for Scientific Information (Web of Science) as one of the most influential researchers in economics and business worldwide. He is ranked as the most prolific scholar in management accounting research. He has received numerous distinguished awards for his research, including several lifetime achievement awards. Dr. Banker has served as editor and on advisory boards of leading research journals in accounting, information systems and operations management.

Cecilia (Qian) Feng is an assistant professor of accounting at the College of Business at Stony Brook University. She received her PhD in accounting from the Fox School of Business at Temple University in 2015. She also holds an MBA from the Fox School. Her research interests are in the area of accounting information systems and include topics relating to IT leadership, the eXtensible business reporting language (XBRL) mandate, and information security breach incidents. Dr. Feng has taught at the graduate and undergraduate levels and has received the “Best Graduate Instructor” teaching award at Stony Brook University in 2018. In addition to focusing on her ongoing studies, Dr. Feng is actively engaging in service activities by reviewing, discussing, and serving as session chair at various academic journals and conferences.