Data breach disclosure (DBD) is presumed to improve firms' cybersecurity practices by inducing fear of subsequent revenue loss. This revenue loss, the theory goes, will occur if customers punish an offending firm by refusing to buy from them and is assumed to be the primary mechanism through which DBD laws will change firm behavior ex ante. However, our analysis of a large-scale data breach at a US retailer reveals no evidence of a decline in revenue. Using a difference-in-difference design on revenue data from 302 stores over a 20-week period around the breach disclosure, we found no evidence of a decline either across all stores or when sub-sampling by prior revenue size (to account for any heterogeneity in prior revenue size). Therefore, we posit that the presumed primary mechanism of DBD laws, and thus these laws may be ineffective and merely a lot of "sound and fury, signifying nothing."

翻译：数据泄露披露（DBD）被认为能通过引发企业对后续收入损失的恐惧来改善其网络安全实践。该理论认为，如果顾客通过拒绝购买来惩罚违规企业，收入损失就会发生，并且这被假定为DBD法律事前改变企业行为的主要机制。然而，我们对一家美国零售商大规模数据泄露事件的分析显示，没有证据表明其收入出现下降。通过对302家门店在泄露披露前后20周内的收入数据进行双重差分分析，我们发现无论是所有门店整体，还是按先前收入规模进行子抽样（以考虑先前收入规模的异质性），均未发现收入下降的证据。因此，我们认为DBD法律所假定的主要机制可能并不成立，这些法律可能无效，仅仅是"喧嚣与愤怒，徒劳无功"。