Study finds security breaches’ affect on shares

Data security breaches have little impact on the share price of affected firms, according to a new report, prompting concerns that firms lack sufficient economic incentive to ensure customers' details are fully protected. However, other drawbacks – such as damage to reputation and legal liabilities – may increase the costs if problems occur.

A study by Harvard and Carnegie Mellon Universities analysed 78 data breaches from 2000 to 2006 and found that while share prices dipped after breaches were revealed they tended to improve three days later and ultimately returned to their original level. On average, companies had less than US$10m knocked off their share price in the two days after a data breach was revealed.

The report cites the example of verification services firm Choicepoint, which compromised 163,000 consumer credit reports, which led to a fall in share price and a US$15m fine. It argues that "such extreme market consequences are… not common and are often short-lived", and observes that despite the bad publicity Choicepoint's stock was at pre-breach levels a year later.

The report also says that though surveys indicate consumers have a more negative view of firms that experience data breaches "there is little evidence that the professed retaliation against offending companies has actually taken place".

However, Simon Perry, vice-president of security at CA, argued that though breaches have not significantly affected share prices in the past, they are likely to do so in future. "Investors and consumers have short memories, but in a few years we'll see the adverse impact increase as people realise the reputational damage data breaches have," he said.

The report adds that while most share prices returned to normal in the wake of breaches firms should also consider the impact in terms of fines, legal liability, damage to customer and partner relations, and increased insurance premiums.

Perry added that firms must reduce the risk of data breaches to comply with increasingly stringent privacy regulations. "There is a bill proposed in the US to standardise data protection and breach notification," he said. "There are enough high-profile cases to conclude this legislation will come eventually."