© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
by Marilyn Prosch, Ph.D., CIPP – Arizona State
University and Vernon Richardson, Ph.D. –
University of Arkansas
Presented by Brian Wasko
Department of Electrical Engineering & Computer Science
EECS 711 – Security Management & Audit
Academic Paper Presentation
[email protected]
14 February 2012
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Outline
•
•
•
•
•
Introduction and Personal Motivation
Paper Background
Paper Theory and Hypotheses Development
Study Population and Findings
Summary and Conclusions
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
2
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Introduction and Personal Motivation
•
•
•
•
•
Introduction and Personal Motivation
Paper Background
Paper Theory and Hypotheses Development
Study Population and Findings
Summary and Conclusions
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
3
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Introduction and Personal Motivation
• Various types of incidents are reviewed in Chapter 3
of our textbook:
– Some escalate to Disaster Recovery / Business Continuity
plans
– Other incidents never get “escalated” but can be far more
damaging than any disaster (natural or otherwise)
• Recent events make privacy incidents “high-profile”
–
–
–
–
Industry-sector regulations (HIPAA / HITECH)
State breach laws
SEC’s recent (10/13/2011) Cybersecurity guidance
FTC enforcement actions against Google, Facebook
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
4
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Introduction and Personal Motivation
• Due to the external stakeholders involved with
privacy incidents, several unique Contingency
Planning factors come to mind:
– Criticality of this specific incident type being documented in
the BIA
– Incident Response plan may involve 3rd party consultants to
help Management confirm detection, resolve the issue and
resume operations
– IR plan may also involve 3rd party auditors to initially attest
to, and then validate remediation biannually for 20 years
(i.e. Google / Facebook)
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
5
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Introduction and Personal Motivation
• I found a related article from one of the authors in
the AICPA’s Journal of Accountancy magazine (the
authoritative publication of the public accounting
profession)
• This paper’s authors are notable for two reasons:
– Marilyn Prosch is one of the world’s foremost experts on
privacy
• She served on the AICPA/CICA Privacy Task Force which
developed GAPP (Generally Accepted Privacy Principles)
– Vernon Richardson used to be an Accounting professor at
KU!
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
6
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Paper Background
•
•
•
•
•
Introduction and Motivation
Paper Background
Paper Theory and Hypotheses Development
Study Population and Findings
Summary and Conclusions
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
7
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Paper Background
• Privacy breaches have a impact on many different
stakeholders:
– Consumers: less trust in those organizations that breach
their data
– Organizations: financial losses in hard dollars due to the
variety of breach incidents costs (notification , settlement,
credit monitoring, etc.) and soft dollars due to lost future
sales
– Financial markets: authors noted that little systematic study
had been conducted over the capital markets’ reaction to
privacy breaches
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
8
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Paper Background
• Previous market-based research was nominal:
– Garg et al. (2003) found an approx. 5% market decrease in
the 3-day period after security breaches
– Cavusoglu et al. (2004) found only a 2.1% loss of market
value within two days of a security breach announcement
• Privacy breaches weren’t isolated in prior studies of
generalized ‘security incidents,’ and authors
theorized that the market reacted even stronger to
this specific incident type
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
9
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Paper Theory and Hypotheses Development
•
•
•
•
•
Introduction and Motivation
Paper Background
Paper Theory and Hypotheses Development
Study Population and Findings
Summary and Conclusions
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
10
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Paper Theory and Hypotheses Development
• Stock market reaction is a reflection of how a privacy
incident affects the present value (PV) of the firm’s
future expected cash flows (ECF)
• Prior to a breach announcement, investors value a
firm at its market value per share of equity
• This is likely negatively affected by:
–
–
–
–
Increased InfoSec spending
Cost of offering privacy monitoring services
Loss of trust = loss of future sales
Litigation and/or Potential FTC sanctions
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
11
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Paper Theory and Hypotheses Development
• Research is guided by an adaptation of the 4D model
of IS Security developed by Loch et al. (1992)
• Paper Hypothesis (H1A): a publicly traded firm’s
announcement of a privacy breach is negatively
associated with abnormal stock returns
• Paper Hypothesis (H2A): the magnitude of abnormal
negative returns is greater for firms more dependent
on the Internet for revenue
• Paper Hypothesis (H3A): the magnitude of abnormal
returns is greater for smaller firms than larger firms
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
12
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Paper Theory and Hypotheses Development
• Paper Hypothesis (H4A): the magnitude of abnormal
returns is negatively related to the number of
individuals affected by the breach
• Paper Hypothesis (H5A): the magnitude of abnormal
returns is not different for various types of breach of
customer information
• Paper Hypothesis (H6A): the magnitude of abnormal
returns is greater for consumer privacy breaches than
for employee privacy breaches
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
13
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Paper Theory and Hypotheses Development
• Paper Hypothesis (H7A): firms that experience a
privacy breach and offer free credit monitoring will
have a smaller decline in their abnormal returns than
firms that do not
• Paper Hypothesis (H8A): the abnormal stock market
returns for firms announcing privacy breaches will be
negatively associated with the length of time
between the privacy breach and the public
announcement
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
14
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Study Population and Findings
•
•
•
•
•
Introduction and Motivation
Background: Cookies
Paper Theory and Hypotheses Development
Study Population and Findings
Summary and Conclusions
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
15
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Study Population and Findings
• Sample was from two sources:
– The Privacy Rights Clearinghouse list of A Chronology of
Data Breaches
– SecureState’s 2005 and 2006 Disclosure of U.S. Data
Incidents
• Daily abnormal returns computed for a 3-day period
surrounding the privacy incident date and cumulated
over the period
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
16
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Study Population and Findings
• Not all hypotheses were proven correct, including:
– H2A: conventional firms actually experienced a larger
decline in stock market prices than Internet firms
– H4A: the # of individuals affected by a breach did not
impact the cumulative abnormal returns (CAR) during a 3day announcement period
• Also, the authors found that:
– External breaches result in a greater decline in CAR than
internal breaches
– Accidental breaches are worse than intentional ones
– Avg. wait from breach to public announcement = 48 days
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
17
© Brian Wasko
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
18
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Summary and Conclusions
•
•
•
•
•
Introduction and Motivation
Background: Cookies
Paper Theory and Hypotheses Development
Study Population and Findings
Summary and Conclusions
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
19
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Summary and Conclusions
• Regulatory environment is complex and changing
• Technology is evolving: smart phones and mobile
wireless browsing = geo-location privacy concerns
• Privacy can also be a strategic advantage
• Build trust through compliance and certification
– Undergo a SOC 2 or SOC 3 audit of your firm’s compliance
with the AICPA/CICA’s Generally Accepted Privacy Principles
(GAPP)
– Consider TRUSTe
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
20
© Brian Wasko
An Empirical Investigation of the Effect of
Privacy Breaches on Firm Market Value
Summary and Conclusions
• Make sure your contingency plan’s BIA and IR
components include privacy
– BIA should assume privacy controls will fail in every system
– IR plan should involve key internal and external stakeholders
• Consider using a PR firm since you will probably be in the
news!
• Don’t let a privacy incident escalate into a disaster
that your business can’t recover from
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
21
© Brian Wasko
Acknowledgements
• Are you interested in privacy?
– See the International Association of Privacy Professionals
(IAPP): https://www.privacyassociation.org/
– Become a Certified Information Privacy Professional (CIPP)
or maybe even a CIPP/IT
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
22
© Brian Wasko
References
Cavusoglu, H., B. Mishra, and S. Raghunathan. 2004. The effect of
internet security breach announcements on market value:
Capital market reactions for breached firms and internet
security developers. International Journal of Electronic
Commerce 9 (1): 69-104.
Garg. A., J. Curtis, and H. Halper. 2003. Quantifying the financial
impact of IT security breaches. Information Management &
Computer Security 11 (2/3).
PROSCH, M. & RICHARDSON, V. J. 2008. An Empirical
Investigation of the Effect of Privacy Breaches on Firm Market
Value. University of Arkansas, Sam M. Walton College of
Business, Information Technology Research Institute. ITRIWP109-0408.
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
23
© Brian Wasko
End of Foils
14 February 2012
An Empirical Investigation of the Effect of Privacy
Breaches on Firm Market Value
24