At WEIS last week, Allan Friedman presented “Is There a Cost to Privacy Breaches? An Event Study.” The study looked at the effect of a privacy breach on stock value, and roughly concluded that it doesn’t do any harm to the shareholders after a few days. Tom Espiner of ZDNet has an article that explains the research in more depth. Previous work is mostly by the (commercial) Ponemon institute, and has focused on helping their customers understand that how the news is broken is very important for the effects of the breach. (“Small Bits on Privacy,” “How To Notify Customers After a Breach,” “Costs of Breaches” and “Attackers, Disclosure and Expectations.”)
So we have two bits of apparently discordant data: Ponemon says that breaches can have a serious effect on customer retention, and Friedman, Acquisti and Telang say the markets don’t care. I suspect both are correct.
How can that be? Are markets not efficient? I think a few things are happening. The new paper looked at 78 breaches from a larger set that was reduced by various filters. That’s a small data set. Fortunately, we have more data now, and perhaps it will be possible to see more in future studies.
Even so, breaches are one time events, and the market probably discounts them as they appear to be random. Why do they appear to be random? Because its hard to evaluate if a security program is effective, even internally. It is even harder, as a customer, to decide if a company is secure. In fact, companies who have recently suffered a breach may be investing more heavily in security, and are thus a better place to do business with if you care about the security of your data.
There’s another important lesson here: 1386 and its descendants are not bad for business. The huge lobbying effort to curtail them is wasted effort, and companies should stop investing in it. Since the pain of a breach is temporary, its not all that worth worrying about. The current crop of stories will fall away, and consumers cares will be addressed by the rise of new firms like Debix. (I have consulted for Debix, and have some options as well.)
As the worries fall away, we’ll start to be able to evaluate security programs. The newfound availability of data is a marvelous thing. It allows Acquisiti, Friedman and Telang to evaluate the effect of privacy breaches on shares. It will give us more data, and that data will be invaluable to a broad swath of research efforts.
So yes, lost data does matter, if not to the shareholders.