Larry Ponemon has carved out a difficult job for himself. The founder of the Ponemon Institute, which focuses on reporting the impact of data breaches on the corporate landscape, has to go and ask large companies how many times they’ve been compromised, and just how badly it messed them up. As it turns out, this is not a popular subject.
“When we first started this, it was like pulling hair from your head”, he admits. Over time, Ponemon has cemented his relationships with the companies he surveys, and the research also offers them some benefits by way of free consulting work. Encouraging full disclosure, however, is always an uphill struggle.
Trust in the Wisdom of Markets?
Is there an easier way for us to assess how badly data breaches impact companies? Libertarians might suggest that we leave the markets to work it out. After all, advocates of the Chicago School would argue that the stock market is a panacea. We’re going to fix climate change with it. It’s going to regulate the water shortage. Milton Friedman’s acolytes see an unequivocal truth lurking in the peaks and troughs of equity stock charts.
So, what does the market make of companies that play carelessly with peoples’ data? Does it punish them enough (or at all)? Kevin Gatzlaff thinks so.
Gatzlaff, while serving as a professor in the Department of Risk Management/Insurance at Florida State University, conducted a study of 77 organizations to see how publicly disclosed breaches affected their share prices. “We did find a significant negative effect”, he recalls.
Gatzlaff’s research focused on events that took place between 2004 and 2006, the year before the scandal over the TJX breach, in which millions of credit card numbers were compromised. Since then, press coverage of data breaches has mounted, not least because of increasing state legislation demanding that organizations disclose their privacy peccadilloes. Still, it is difficult to find a more recent analysis of a breaches’ impact on a company’s market standing. How much has the landscape changed in the last three and a half years, and to what extent are data breaches now encouraging share prices to bounce around in a market that is both shaken, and stirred?
Data Breach Box Scores
Let’s look at the five largest data breaches among publicly listed companies since January 2007. Payment processor Heartland Payment Systems is currently listed as the largest data breach on record. Heartland lost 130 million records after its network was hacked. It discovered the incident on Jan. 12, 2009, and officially reported it seven days later, the day before President Obama’s inauguration.
| "The markets know that a data breach is a bad thing, but they don’t understand really how it affects customer behavior" |
| Larry Ponemon, Ponemon Institute |
Even a breach of that size couldn’t hide in Obama’s shadow. Heartland’s stock tanked faster than a joke about dynamite told in an airport security lineup. By March 6, it had reached $4.03 – an all-time low, and only just over a quarter of the $15.44 closing price on the day that Heartland announced the breach.
The incident marked a clear departure from the Dow industrials index, which has little to do with industrials these days, but is widely used as a benchmark for US corporate performance. Heartland’s stock trailed the Dow comparatively, only just rebounding to its original price from when the breach was announced. The Dow outperformed it in terms of percentage growth during the same timeframe, having risen around 20%.
Retail Group TJX is seen as the second largest data breach in history. On Jan. 17, 2007, the company reported that its networks had been compromised. It transpired that 94 million customer credit card records had been filched across a variety of subsidiaries. Just as with Heartland, it took a couple of months for the price to bottom out. By March 16, TJX shares had reached $26.10. It was a dip, but not much of one from the $29.63 that it closed at on the day that it announced the breach.
Still, for this or other reasons, TJX’s shares became lethargic in comparison with the rest of the market. It slipped below the Dow in price/percentage growth terms by the start of February, and it wasn’t until almost exactly a year later that its stocks consistently met that index again, outperforming the Dow in growth terms. Since then, TJX has healthily outperformed the Dow index. At the time of writing, its price rested at $42.98, representing a 44% growth since the breach occurred, compared to the Dow’s 13% shrinkage.
The third largest data breach in a publicly traded company since the end of 2006 happened to Deutsche Telekom. The German telecommunications firm lost 17 million customer records in a data breach in 2006, but the incident was only reported by Der Speigel in October 2008, with the company pre-empting the story by confessing a few days before.
Deutsche Telekom’s stock immediately plunged, and then rallied, bumbling along quite nicely until beginning a slow, steady decline at the end of 2008, from which it has yet to recover. It is off 15% from its October 10 price at the time of writing, compared with the Dow, which is up 4% during the same period.
Number four: on March 26, 2008, BNY Mellon Shareowner Services, a division of BNY Mellon, reported that an archival company it contracted had lost a box of tapes, including customers’ names and social security numbers. Eventually, the company revealed that 12.5 million records had been lost.
BNY stock has suffered since that day. It slumped in the days surrounding the announcement of the breach, and has since underperformed the index. As of mid-March, the Dow has shrunk around 20% since the day of the announcement. However, the bank has seen a third of its price just before the announcement wiped out.
Japan’s Dai Nippon Printing is the fifth largest data breach for a publicly listed company since 2006. The company lost 8.63 million records after a former contract worker made off with private customer data from 43 clients. The incident was reported on March 12, 2007, but six days later, the company’s stock bottomed out after a sharp decline that had begun a month earlier.
| "The biggest issue here is that damage can be multiplied if you don’t have an effective plan and haven’t trained for it" |
| Donovan Neale-May, CMO Council |
It then bounced back, outperforming the Nikkei 225 (the Japanese equivalent of the Dow), which began its own decline just as Dai Nippon’s price recovered. In fact, Dai Nippon’s growth didn’t dip below the index’s price/percentage growth rate for four months. As of mid-March, the Nikkei is down 19%, but Dai Nippon has lost 29% of its value from just before the breach was announced.
Perception vs. Reality
These analyses are fraught with difficulties, and there are many reasons why some breaches might cause the market to react more harshly than others. Perhaps another news event may have influenced a stock’s price, for example. Or perhaps the market isn’t the best litmus test, muses Ponemon.
“The markets know that a data breach is a bad thing, but they don’t understand really how it affects customer behavior. They don’t really see long-term economic impact. Markets are weird this way. They will adjust favorably or unfavorably based on factors that may be unrelated to the trust of customers.”
Ponemon also suggests that the impact of breaches on the market perception of a company might vary according to sector. Heavily regulated sectors, such as healthcare or finance, may be expected to do more than, say, retailers, he suggests.
If the material effect of a breach rests largely on public perception, then we should also consider the type of information that has been compromised, points out Paul Stephens, director of policy and advocacy at the Privacy Rights Clearing House. The Clearing House was the main source for the breach information used in Ratzlaff’s study.
“There are numerous breaches in which the only individuals impacted have been employees – for example, payroll and human resource information”, Stephens says. “As bad as those breaches may be, members of the public aren’t likely to be terribly concerned if the only information breached was employee data.” Conversely, merchant breaches may provoke more outrage, he warns.
So, if share price isn’t a good benchmark for the effect of a data breach on a company, then what is? Obviously, direct and indirect costs are one way to measure things. Ponemon’s data breach report suggests that the average cost per lost record in a data breach rose to $204 last year from $202 during the previous year.
Another way to measure things is perhaps more opaque: customer churn. “What typically happens in a breach is that people lose confidence in an organization, and there’s a high level of what we refer to as abnormal churn”, Ponemon says. He sees churn rates among customers who are notified of a data breach hitting 9% in some cases. It could be higher, when customers who hear the news via the press are taken into consideration. Given the cost of new customer acquisition, those figures will hit a company hard in the wallet.
A 2006 survey of chief marketing officers by the CMO Council found that two-thirds of customers would seriously consider taking their business elsewhere if a supplier experienced a data breach. A quarter definitely would. “The biggest issue here is that damage can be multiplied if you don’t have an effective plan and haven’t trained for it”, says Donovan Neale-May, executive director of the CMO Council.
| "There are numerous breaches in which the only individuals impacted have been employees – for example, payroll and human resource information. As bad as those breaches may be, members of the public aren’t likely to be terribly concerned if the only information breached was employee data" |
| Paul Stephens, Privacy Rights Clearing House |
Our modest comparison of share performance against relevant indices is far from conclusive. Some companies bounced back, although it took a while. Others appeared to suffer very little immediate impact at all. Others are still lagging the market, but whether that is solely because of customer data having been compromised is hard to say. Instinctively, with so many other factors at play in such a volatile economic environment, it seems unlikely.
Maybe at the end of the day, we simply don’t want to know badly enough about data breaches to pursue the issue. The most depressing fact we found when researching this article was that the Open Security Foundation, which operates the Data Loss DB database of data breaches, seems to be almost entirely bereft of financial support from the industry. It asked for $9500 for its fund-raising drive. At the time of writing, it had accumulated just $380.
Perhaps Larry Ponemon is right: the truth doesn’t lie in stock charts, technical analysis, or fundamentals. Perhaps, instead, it lies right there, in the fact that we’re unwilling to pay the cost of two lost customer records to support an organization that is telling us what’s really going on.