Data as Liability: AI Adoption and Disclosed Breach-Risk Attention

Fatih Kansoy; Yuhao Huo

Home

Research · Mar 25, 2026

Data as Liability

Fatih Kansoy and Yuhao Huo · Published in: University of Oxford Department of Economics Discussion Papers

AI and DataCorporate disclosureTechnology governance

PDF BibTeX RIS

Plain-Language Summary

The paper separates two ideas that are often bundled together in public discussion: inventing AI and adopting AI inside live business processes. The central question is not whether AI is valuable. It is whether the move from research or invention into deployment creates a new liability margin that managers themselves treat as material.

The evidence comes from firms' own annual filings. That matters because the outcome is not media attention or realised breach incidence; it is the space firms devote to breach-related risk in legally consequential disclosures. The main result is that AI adoption is the margin that moves with breach-risk attention, while AI invention becomes economically small once both margins are estimated together.

The customer-facing results sharpen the interpretation. AI systems that touch customers, personal information, vendors, and continuing data flows are the places where the liability side of AI diffusion becomes most visible. The managerial implication is that AI deployment is also a governance decision about security controls, vendor oversight, consent, data minimisation, and incident response.

Research Question

Can firms adopt AI without also creating a disclosure-visible data liability, and is that effect driven by adoption rather than invention?

Why It Matters

The paper speaks to a practical policy question. Regulation aimed at AI research and regulation aimed at deployed AI systems are not the same thing. If the liability signal appears mainly in adoption, then the relevant governance tools are closer to data protection, breach notification, vendor management, and customer-facing controls than to broad limits on invention.

Data

The main panel uses roughly 84,000 firm-years of US listed-firm annual filings from 1994 to 2023. The paper builds layered text and LLM measures that distinguish AI invention language from AI adoption language. A narrower disclosure sample and paragraph-level classifications are used to validate and interpret the main filing-level evidence.

Method

The empirical design relates AI invention and AI adoption measures to disclosed breach-risk attention in firm filings, using fixed effects and placebo controls for non-AI digitisation language. The paper then examines customer-facing deployment, direct text statements that explicitly link AI to risk, and supplementary evidence from staggered state Data Breach Notification laws.

Contribution and Findings

01

Adoption, not invention

AI adoption is associated with roughly 5 per cent higher breach-risk attention relative to the sample mean; AI invention is economically negligible once both enter the same specification.

02

Customer-facing deployment matters

Among adopters, breach-risk attention is strongest where AI is customer-facing, consistent with the idea that live data flows create governance obligations.

03

Firms describe exposure, not protection

In direct statements linking AI to breach vulnerability, 101 of 103 directional statements describe AI as expanding exposure rather than reducing it.

04

Bounded interpretation

The outcome is disclosed breach-risk attention, not realised breach incidence, so the evidence is strongest about managerial salience and revealed materiality.

The paper contributes by separating AI invention from AI adoption in corporate text and showing that the liability side of AI diffusion is concentrated in deployment. It reframes AI risk as a data-governance complement to AI adoption rather than a simple tax on innovation.

Figures and Tables

Coefficient ladder showing the adoption versus invention wedge. — Headline exhibit: adoption-specific AI language tracks breach-risk attention more strongly than invention language.

Customer-facing mechanism and direct textual evidence table. — Paper table: customer-facing AI use and direct textual evidence from firms' own risk statements.

Results Table

Key results from the paper

Evidence	Result	Interpretation
AI adoption	About 5 per cent higher breach-risk attention relative to the sample mean	The liability signal is tied to deployment.
AI invention	Economically negligible once adoption is included	Research or invention language is not the main disclosure margin.
Customer-facing AI	Positive premium in filing and paragraph classifications	Data-facing deployment is where governance exposure is most visible.
Direct statements	101 statements say AI raises risk; 2 say it reduces risk	Firms themselves usually describe AI as expanding exposure.

Scope and Limits

The paper does not claim to measure actual breaches. Firm disclosures may reflect selection into AI adoption, managerial attention, legal caution, or expected exposure. The DBN evidence is supplementary and should not be read as a stand-alone causal design.

Selected References

Acemoglu, D., Autor, D., Hazell, J., and Restrepo, P. 2022. Artificial intelligence and jobs: Evidence from online vacancies.
Babina, T., Fedyk, A., He, A. X., and Hodson, J. 2024. Artificial intelligence, firm growth, and product innovation.
Bao, Y. and Datta, A. 2014. Simultaneously discovering and quantifying risk types from textual risk disclosures.
Florackis, C., Louca, C., Michaely, R., and Weber, M. 2023. Cybersecurity risk.
Miller, A. R. and Tucker, C. 2009. Privacy protection and technology diffusion.

How to Cite

Use the canonical page URL for discovery and the PDF link for the full manuscript when available.

APA

Kansoy, F., & Huo, Y. (2026). Data as Liability: AI Adoption and Disclosed Breach-Risk Attention. University of Oxford Department of Economics Discussion Papers. https://fatih.ai/research/data_as_liability/

Chicago

Kansoy, Fatih, and Yuhao Huo. 2026. "Data as Liability: AI Adoption and Disclosed Breach-Risk Attention." University of Oxford Department of Economics Discussion Papers. https://fatih.ai/research/data_as_liability/.

Harvard

Kansoy, F., & Huo, Y. 2026, 'Data as Liability: AI Adoption and Disclosed Breach-Risk Attention', University of Oxford Department of Economics Discussion Papers, available at: https://fatih.ai/research/data_as_liability/.

BibTeX

@article{kansoy2026data,
  title   = {Data as Liability: AI Adoption and Disclosed Breach-Risk Attention},
  author  = {Fatih Kansoy and Yuhao Huo},
  journal = {University of Oxford Department of Economics Discussion Papers},
  year    = {2026},
  url     = {https://fatih.ai/aidata.pdf}
}

BibTeX RIS

At a Glance

Published in: University of Oxford Department of Economics Discussion Papers
Year: 2026
Authors: Fatih Kansoy and Yuhao Huo
Findings: AI adoption is associated with roughly 5 per cent higher breach-risk attention relative to the sample mean; AI invention is economically negligible once both enter the same specification. Among adopters, breach-risk attention is strongest where AI is customer-facing, consistent with the idea that live data flows create governance obligations.
Data: The main panel uses roughly 84,000 firm-years of US listed-firm annual filings from 1994 to 2023. The paper builds layered text and LLM measures that distinguish AI invention language from AI adoption language. A narrower disclosure sample and paragraph-level classifications are used to validate and interpret the main filing-level evidence.
Method: The empirical design relates AI invention and AI adoption measures to disclosed breach-risk attention in firm filings, using fixed effects and placebo controls for non-AI digitisation language. The paper then examines customer-facing deployment, direct text statements that explicitly link AI to risk, and supplementary evidence from staggered state Data Breach Notification laws.
JEL: O33, G38, D83, L86, K22

Oxford · United Kingdom Research · CV

[1] Acemoglu, D., Autor, D., Hazell, J., and Restrepo, P. 2022. Artificial intelligence and jobs: Evidence from online vacancies.

[2] Babina, T., Fedyk, A., He, A. X., and Hodson, J. 2024. Artificial intelligence, firm growth, and product innovation.

[3] Bao, Y. and Datta, A. 2014. Simultaneously discovering and quantifying risk types from textual risk disclosures.

[4] Florackis, C., Louca, C., Michaely, R., and Weber, M. 2023. Cybersecurity risk.

[5] Miller, A. R. and Tucker, C. 2009. Privacy protection and technology diffusion.