Data breaches are damaging to a company’s reputation and revenue, specifically those in which unauthorized access to confidential information occurs (Acquisti et al., 2006; Campbell et al., 2003). Although companies may under-report, or refuse to report, the financial impact of a security breach, observational research and event studies find that impacted companies experience an immediate drop of 5.6 per cent in stock shares. Further, companies can experience financial loss between $17 and $28m per incident (Garg et al., 2003; Morse et al., 2011). These incidents have also been found to lower consumer trust and intentions of shopping online, especially among older adults (Chakraborty et al., 2016). In non-online–based companies, such as hotels, breaches also have a negative impact on consumer perception, satisfaction and intent to revisit (Berezina et al., 2012). However, it is important to note that the fault of security breaches is not always with the company. For example, research by Berendt et al. (2005) found that although online users may indicate that they expect and prefer specific privacy behaviors and systems, they often do not act in accordance with these stated preferences. In spite of their potential contribution to company susceptibilities to data breaches, individuals often perceive that the onus of responsibility for data security lies solely with an online company or vendor. Vendors that store personal or financial information of consumers have pushed for better online security and reputations for security, which may have had the unintended consequence of false security for consumers (Carré et al., 2018). Further, Carré et al. found that following a data breach, individuals are more likely to repudiate the quality of a company, specifically among selfish personality types. However, individuals often engage in behaviors that can put online companies at risk for hacking and breaches. Specifically, users perceive that engagement in secure behaviors is an inconvenience and that many messages about security awareness do not result in behavioral changes (Ng et al., 2009).