Economic Impact from a Company’s Data Breach – No Big Deal? Not So Fast!

Recent data breaches have prompted worries about economic damage to the infiltrated companies. Analyses in fact show minimal effects on stock prices or revenues of the hacked companies. But that may be only temporary comfort as commentators urge a longer-term view.

A recent article in the Harvard Business Review found that “even the most significant recent breaches had very little impact on the company’s stock price.” Similarly, “actual expenses … amount to less than 1% of each company’s annual revenues. After reimbursement from insurance and minus tax deductions, the losses are even less,” according to a new analysis from a fellow at the Columbia School of International and Public Affairs.

Good news? To an investor looking solely at publicly disclosed costs of data breaches by large retailers, one takeaway may be that sophisticated companies have done a decent job of preparing for, responding to, and insuring against large data breaches. Another question, however, is whether the costs are merely shifted to consumers, who as a group bear the brunt of the inconvenience and anxiety associated with a data breach, even where monetary loss is minimal. And if a large company does not feel the pain in its bottom line, does it have adequate incentive to invest in cybersecurity measures to protect consumers? And without market incentives, will that prompt more government intervention and regulatory fines?

What about the longer term? It is not clear to what extent corporate data breach victims incur damages that are not subject to data breach notification laws – e.g., losses from competitor or state-sponsored theft of intellectual property, customer lists, business plans, and other proprietary data that, while sensitive and valuable to the owner, may not contain personal identifying information. The incentives to protect access to this data may outweigh any notion that the costs of consumer data breaches are too low to justify additional investment in cybersecurity.

The publicly disclosed costs also do not factor in reputational interests, customer loyalty, distraction to senior management, and other less easily quantified costs. All stakeholders will continue to wrestle with efforts to quantify all of the hard and soft costs of data breaches of all kinds, short and long-term, so that risks can be better assessed and managed through the private and public sectors.