Privacy breaches are now a common event, and though these privacy breaches clearly hurt customers, do they actually hurt businesses?

At first glance, potential remediation costs for firms failing to protect consumer data seem huge: costly lawsuits, payments for a year’s worth of credit reporting for affected customers and potential loss of future business. But these costs sound like short-term losses for companies and most of them are actually insured against those risks.

So, do privacy breaches hurt a business’s bottom line?

My research looks at the effect of privacy disclosures on the stocks of companies once the breach is actually disclosed. For example, in February 2015, Anthem, one of the largest health insurance companies in the U.S., announced that critical information for 80 million customers and employees was stolen. The stock barely decreased on the day of the disclosure of the breach, even reaching an all-time high a few days after, due to better guidance and earnings.

It sounds puzzling, but at the same time behavioral finance tells us that investors might suffer from rational inattention, especially when you couple a negative disclosure with more positive news. It’s the old good-news-offsetting-bad-news trick: Firms actually disclose a privacy breach within a certain time period—often dependent on state breach notification law—with some other positive news about the firm.

In my research paper “Strategic News Bundling and Privacy Breach Disclosures,” I examine why and if this is the case. Using a complete dataset of privacy breaches from 2005 to 2014, I find that, controlling for media coverage, a small decline in stock price due to a privacy breach disclosure, all other things equal, is offset by an increase in the effect of a larger than usual number of positive news reports released by the firm on that day (like a new product, venture or even better guidance). This strategy could increase the returns on the stock by 0.47 percent for every additional positive news report compared to their usual media coverage. This makes clear why some firms actually see their stock increase after reporting a privacy breach.

My data analysis also reveals some more common traits of privacy breaches.

Firms in the finance, insurance and real estate industries represent more than a third of the firms breached multiple times. The other large group comprises companies in the retail, manufacturing and services industries. Interestingly, three firms in the finance and insurance industries were breached more than 14 times during the 2005-2014 period as those firms are known to hold more sensitive and valuable information like Social Security and bank account numbers.

Surprisingly, payment or credit card fraud events are a small category of privacy breaches. It may be due to a higher level of security and regulation for companies, which makes it harder for average hackers to break. Nonetheless when those events happen they usually have larger records breached.

A similar pattern emerges from the media analysis of the data.

First, not all privacy breaches make it in the news. Most of those unreported cases are either of smaller scale or in industries where the data stolen is not strategic, like the mining industry. Second, as expected, industries with more confidential data get lots of attention from the media if breached. For example, in the financial industry, privacy breach disclosures are reported as breaking news reports 58 percent of the time. Third, the larger the firm, the more likely there will be a breaking news about the breach on the day of disclosure (83 percent for firms larger than $100 billion in market capitalization versus only 8 percent for firms under $1 billion). Fourth, the higher the number of records breached, the more likely the privacy breach would be released to the market by a breaking news report (52 percent for more than a million records breached versus only 40 percent on average for less than 100,000).

Finally, corporate governance post-privacy breach is unaffected. Breaches, despite quite a media stir, do not lead to a change in CEOs within the company, at least during the period covered in this report. CIOs, closer to the information technology issues, were more likely to be ousted, but recent examples may demonstrate a sea change in enterprise governance. In mid-2014, Target fired its then CEO Gregg Steinhafel in the wake of a major data breach. Plus this year, the U.S. Office of Personnel Management's director, Katherine Archuletta, resigned after a flood of calls for her to be fired after the massive OPM hacks, and, just last month, Noel Biderman resigned as CEO of Avid Life Media, the parent company of Ashley Madison, after its well-publicized data breach.

Overall, the results of my analysis suggest that the effects of a privacy breach on a breached firm are very small, but significant, once you tease out the other market effects.

Moreover, if firms release a larger number of positive news items on the day of disclosure, a decrease of abnormal returns due to the disclosure of a privacy breach is offset, explaining why some stock actually benefit from a privacy breach, as surprising as it seems.

Policy-wise these results imply that imposing a press release reporting from the firms for all types of breaches would lead to more transparency. If a firm fears that a larger breach would have a larger negative effect on its reputation, and in turn on its stock, it would be incentivized to protect its data better against any privacy breach, as any stock of positive news the firm sits on will be decreased.

photo credit: Torn & Cut One Dollar Note Floating Away in Small $ Pieces via photopin (license)