Full Text

Introduction

Data breaches, i.e. unintentional or intentional unauthorized access or acquisition of confidential or sensitive company data, are becoming more common, more impactful and more publicized. Recent breaches have compromised companies in such varied industries as consumer reporting agencies, credit cards and banks, retail, hospitality, banking, medical and social media. It seems that no industry is immune. Even companies within the security sector have been compromised. This study seeks to gain a better understanding of breaches in the hospitality industry by examining recent trends of data breaches occurring in the hospitality industry, identifying the source of incidents and measuring the differences between incidents in the hospitality industry with those occurring in other industries.

Data breaches are of concern because of the damage and losses that can occur as a result. In addition to the direct financial losses that a company can incur, consumer trust, firm reputation, market share and stock valuation can all be affected (Gwebu et al., 2018; Yayla and Hu, 2011). A recent study indicated that direct losses alone from a single incident can average US$2m (Walter, 2015). Consumers, of course, are put at risk for loss of assets, lowering of credit ratings and identity theft (Romanosky et al., 2011). The escalation of data breach occurrences has attracted the attention of government, industry and academia. Several online sources [for instance, privacy rights Clearinghouse (PRC), DataLoss DB and Verizon VERIS Community Database (VCDB)] track breaches and provide descriptive (and prescriptive) information regarding the types of breaches, which industries were affected, which companies were breached and the resulting losses.

The academic community has responded by examining individual cases, as well as aggregate data and trends. Researchers in a variety of academic fields have investigated topics largely focusing on:

• causes of breaches (Sen and Borle, 2015);

• responses to breaches (Gwebu et al., 2018); and

• the impact on investors (as measured by market capitalization) (Acquisti et al., 2006).

Legal requirements have also been of interest. A seminal article by Romanosky et al. (2011) examined the effectiveness of individual state laws (requiring companies to disclose breaches) in reducing identity theft, finding a significant effect.

Researchers typically have examined the impact of individual companies, industries or markets in the aggregate. Fewer articles have examined differences...