Corporate social irresponsibility and the occurrence of data breaches: A stakeholder management perspective

•We find a positive and significant association between corporate social irresponsibility (CSIR) and the occurrence of data breaches.•CSIR regarding employee, community, and governance issues plausibly results in internal data breaches and environmental concerns may trigger external attacks (hacking), while product safety problems can lead to both types of data breaches.•Negative stock market reactions to data breaches are significant and persistent.•Firms effectively respond to data breaches by establishing corporate social responsibility committees on their board of directors and mitigating future CSIR. Ever-increasing data breach incidents are destroying firms’ operations and financial sustainability. We examine the association between corporate social irresponsibility (CSIR) and data breach incidents, stock market reactions to these incidents, and how the affected firms respond to data breaches. Using a sample of 24,456 observations from 2005 to 2018, we find a positive and significant association between CSIR and the occurrence of data breaches. More importantly, CSIR, regarding employee, community, and corporate governance issues, is more likely to result in internal data breaches, and environmental concerns can trigger external attacks. In contrast, product concerns can lead to both internal breaches and external attacks. Consistent with our prediction, the negative stock market reaction to data breaches is more pronounced in CSIR than in non-CSIR firms. Finally, we show that firms respond to data breaches by establishing corporate social responsibility (CSR) committees. Firms with such committees, especially those with robust CSR committees, are more likely to react to data breaches by mitigating CSIR. Our results offer important and timely policy, practice, and research implications as data breaches persist.