Several studies have come out claiming a relationship between data breaches and stock price, or more to the point that stocks fall after a breach is disclosed. As much as I love the concept of the market and free economies punishing those with poor controls (or in some cases rotten luck), my cursory research on the biggest data breaches does not support this conclusion.
First lets give credit to the study that was done, as posted and reported on CSO:
‘Scott Crawford, senior analyst with EMA, said within four weeks of public disclosure of details of an information breach, negative responses show up in the form of falling share prices. The impact can be disturbing, he added.
“EMA recently followed the closing stock prices of six U.S. companies which had disclosed an information security breach between February 2005 and June 2006.
“Within a month of disclosure, the average price of these stocks fell by 5 percent, and remained in a range of 2.4 to 8.5 percent below that of the date of disclosure for another eight months,” he said.
“The stocks did not recover to pre-incident levels for nearly a year.”‘
Plenty of other references:
Now onto a our impromptu self-survey:
In order to test this survey I pulled up the best chronology of data breaches, at http://www.privacyrights.org/ar/ChronDataBreaches.htm. By far the most complete, updated, and independent that I have found (i.e. no commercialization of the information). I did find it interesting how large a percentage of state, healthcare, and education institutions were caught off guard. Needless to say I had a hard time choosing candidates that fit my strict survey criteria – companies that were public (so I could check the stock price), and that suffered a significant breaches 500k+. I began at the most recent breaches and worked backwards in time to ChoicePoint’s inaugural appearance in this timeline. Please note I point out the fact that the stock prices were not hit immediately (as would be the case if any public company disclosed anything or had ANY negative comment…i.e. stock option back dating, legal battles al-la blackberry – btw stock is up nearly $30 since they won / settled that case).
2,600,000 Circuit City credit card customers past and present customers were the first in our open survey. According to the site on the breach it was Chase Card Services that “…mistakenly discarded 5 computer data tapes in July containing Circuit City cardholders’ personal information.” The tapes could have simply landed in a dumpster, or found their way to the open market where they are worth anywhere between $60-150 (roughly a low street value of $156,000,000) each depending on the amount of data on those tapes. The catch here is were they following PCI DSS standards? Were the tapes encrypted and proper key management adhered to for these valuable items? The unsubstantiated ruling is – no, or else they wouldn’t of needed to disclose the fact of “discarded” tapes. In fact, GLBA, SB-1386 and a host of others don’t require disclosure if proper encryption is in place. Our review of Circuit City (CC) found the stock price did not go down, but in fact went up and has been riding high ever since. A quick check at Chase verifies the same trend, of course these are two massive companies that shouldn’t be heavily impacted by such an incident, or should they?
Circuit City chart off of Google Finance (wonderful tool that even adds news events to the charts to see what is really impacting the stock!)
Chase Chart showing a similar story:
Wells Fargo had a breach on September 1st (an auditor lost his work papers – clearly not following the procedures and controls that s/he was testing of the client) and the stock price has moved higher ever since. No more charts… they are all showing the same facts, but please visit finance.google.com to see the same graphics as above.
Diebold – even the company buried under the electronic voting scandals suffered a breach and had no impact on its own stock.
Chevron lost half its North American employees PII, and didn’t suffer a hit to the stock.
AIG suffered two breaches and neither of them impacted the stock price.
Finally we end on ChoicePoint who was the unfortunate company to meet the press on data disclosures and may have been single handedly responsible for 21 other states creating data disclosure laws. The chart below shows that CPS was already headed down (insider information perhaps?), but it did eventually recover after a few months – not years as the study stated.
In conclusion, perhaps a broader form of disclosure could be used, and a greater sampling could have been used – but the fact is these data disclosure breaches did not bring down the companies nor hurt their stock prices. From a risk managers perspective, I hate bad news and don’t want to see my clients or customers in the news under such conditions, but it is important to shed light where it needs to be shed. FUD (fear-uncertainty-doubt) tactics are archaic, inappropriate for professionals, and counter productive to the objective (achieving a balance between risk and reward, or in this case security and agility). It is far better to focus on the real quantitative costs of non-compliance, so business managers can properly weigh the cost of each control employed in a company.
Of course, this is a second pass at another study done with the same number of companies and I hope and expect another analysis to occur that supports or displaces my proposed conclusion – until then….
Comments, questions, counters?
James DeLuccia IV