Economic Impact from a Company’s Data Breach – No Big Deal? Not So Fast!

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/economic-impact-from-a-companys-data-br-01987/

Recent data breaches have prompted worries about economic damage to the
infiltrated companies. Analyses in fact show minimal effects on stock
prices or revenues of the hacked companies. But that may be only temporary
comfort as commentators urge a longer-term view.

A recent article in the Harvard Business Review found that “even the most
significant recent breaches had very little impact on the company’s stock
price.” Similarly, “actual expenses … amount to less than 1% of each
company’s annual revenues. After reimbursement from insurance and minus tax
deductions, the losses are even less,” according to a new analysis from a
fellow at the Columbia School of International and Public Affairs.

Good news? To an investor looking solely at publicly disclosed costs of
data breaches by large retailers, one takeaway may be that sophisticated
companies have done a decent job of preparing for, responding to, and
insuring against large data breaches. Another question, however, is whether
the costs are merely shifted to consumers, who as a group bear the brunt of
the inconvenience and anxiety associated with a data breach, even where
monetary loss is minimal. And if a large company does not feel the pain in
its bottom line, does it have adequate incentive to invest in cybersecurity
measures to protect consumers? And without market incentives, will that
prompt more government intervention and regulatory fines?

What about the longer term? It is not clear to what extent corporate data
breach victims incur damages that are not subject to data breach
notification laws – e.g., losses from competitor or state-sponsored theft
of intellectual property, customer lists, business plans, and other
proprietary data that, while sensitive and valuable to the owner, may not
contain personal identifying information. The incentives to protect access
to this data may outweigh any notion that the costs of consumer data
breaches are too low to justify additional investment in cybersecurity.

The publicly disclosed costs also do not factor in reputational interests,
customer loyalty, distraction to senior management, and other less easily
quantified costs. All stakeholders will continue to wrestle with efforts to
quantify all of the hard and soft costs of data breaches of all kinds,
short and long-term, so that risks can be better assessed and managed
through the private and public sectors.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!