When it comes to the business impact of data breaches, companies that have suffered a compromise of at least 1 million records average suffered an immediate post-breach decrease in share price of 0.43%, about equal to their average daily volatility.
The security and privacy advice and comparison website, Comparitech.com, looked at the closing share prices of 24 companies, including Apple, Adobe, Anthem, BetFair, Countrywide, Community Health Systems, Dun & Bradstreet, eBay, Experian, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Vodafone, VTech and Yahoo. The analysis started the day prior to the public disclosure of their respective data breaches of at least 1 million records leaked, with some surpassing 100 million.
A one-year model showed that share prices experienced an immediate 2.84% drop versus the NASDAQ average, and took 38 market days to recover. The stocks then outperformed the NASDAQ until day 175, at which point they started falling again. Three years after a breach, share price had fallen 42% relative to the NASDAQ baseline.
“Data breaches stain the reputations of companies both big and small, damaging the brand and reducing consumer trust, and sometimes the consequences can affect the company for years to come,” said Paul Bischoff, researcher and privacy advocate for Comparitech.com. “A data breach can harm both public sentiment and a company's competitive edge in the market depending on the type of breach. In this study, we wanted to quantify that sentiment and assess the impact on investors through Wall Street’s reaction to a data breach.”
The research found that across the board, stock prices continue to rise overall in spite of data breaches, but much slower than they did previously. It also uncovered that more recent breaches had less of a negative impact on share price than older ones, perhaps due to ‘breach fatigue’. Breaches could be increasingly tolerated by the market over time.
Javvad Malik, security advocate at AlienVault, noted that companies shouldn’t be lulled by the fatigue data point: “The research by Comparitech.com shows that it is difficult to determine the full impact of a data breach upon companies immediately, rather the impact can compound over a longer period of time. While data breach fatigue may be settling in, companies cannot underestimate the full impact a breach will have on its bottom line. In particular, small, mid-sized, or businesses with only a few revenue streams should particularly be vigilant and invest in security controls that can help detect and respond to attempted breaches rapidly, as they would be less able to absorb the financial hit.”
The research also found that finance companies experienced the largest immediate decline in share price directly after a breach, but internet businesses, such as ecommerce and social media companies, suffered the most in the long term.
As expected, breaches of highly sensitive data, such as credit card and social security numbers, had a greater impact on the immediate drop in share price following a breach than companies that leaked less sensitive info, such as email addresses. But, the sensitivity of breached data had a less clear impact on share price in the long term as other factors come in to create “noise” for shareholders and introduce other aspects to be considered around the health of the stock.