Should companies care about data breaches?

Large companies do not have an economic incentive to prevent privacy breaches occurring, according to researchers from Harvard and Carnegie Mellon Universities this week.

The researchers studied 78 breaches from 2000 to 2006 in publicly traded companies, and looked at whether there was any major change in the stock price. Overall, stock dipped sharply on the first and second days after a breach was revealed but started to climb on the third, and eventually reached pre-breach levels.

On average, companies had just under $10m wiped from their stock price over the two days after the breach, leading the researchers to question whether there was any economic reason in terms of share price for companies to implement measures to stop privacy breaches.

Researcher Allan Friedman, who appeared at the Workshop on the Economics of Information Security at the University of Cambridge on Wednesday, said: "The potential costs for the company in terms of share price may not be enough of an incentive. Should companies care?"

If companies have to implement privacy procedures, hire lawyers to ensure compliance and track back-up tapes, it may cost more to prevent privacy breaches than ensure they don't happen, Friedman said.

Recently, there has been a proliferation of customer privacy breaches, where confidential customer information is leaked through lost or stolen equipment, hacking, or insider attacks. It can often lead to identity theft. ChoicePoint, Ernst and Young, Medical Excess, Time Warner and UPS are all companies whose sensitive customer information has been exposed through such incidents.

Both Friedman and fellow researcher Alessandro Acquisti stressed that companies need to consider other possible fallout from privacy breaches aside from the minimal effect on share price.

Acquisti said: "There could be [contractual] liabilities, fines, loss of reputation, loss of sales and loss of partnerships."

The researchers said it was difficult to take into account all these factors when calculating the total economic damage to a company compared with the cost of trying to guard against privacy breaches, because of the difficulties of measuring the effect of loss of reputation.

Friedman added: "It's a harder case to show the total expected value [of preventing privacy breaches] is negative."

Security experts from encryption vendor PGP Corporation agreed it would be difficult to measure the overall effect of privacy breaches on a company.

Jon Callas, chief technical officer for PGP Corporation, said: "It's very hard to measure how much it loosens up customers. Some say 'I'll leave immediately', some don't. It's hard to establish how this leads to loss of revenue."

Callas also argued that preventing security breaches can be relatively inexpensive.

He said: "For example, if someone loses a laptop containing sensitive information. Having encryption on that laptop would have stopped the breach, as would deploying encryption throughout the company in back-up procedures, tapes and storage. If everything is encrypted properly you don't have to worry if a tape is lost."

Tom Espiner writes for ZDNet UK