Data breaches at the world’s largest corporations are becoming a commonplace affair, but are investors on Wall Street really paying attention? A new study from UK-based pro-consumer website Comparitech looked at the recent stock market performance of 28 different companies that recently suffered a massive data breach of some kind (defined as a breach impacting 1 million or more customer records), in order to see whether investors were punishing these companies for their data privacy lapses. The overall picture that emerges is that these companies underperform the stock market over the long run – but not by as much as you might think.
Methodology behind the model linking data breaches and share prices
Over the past three years, Comparitech has honed and refined its methodology, in order to come up with the best possible model that explains the link between data breaches and market share prices. In the 2019 version of the study, Comparitech analyzed 28 companies, all of them listed on the New York Stock Exchange (NYSE), and all of which have recently suffered a massive data breach of some kind. The list of companies analyzed include some of the most iconic names in the U.S. marketplace, such as Apple, Adobe, Capital One, Equifax, Facebook, Home Depot, JP Morgan Chase, LinkedIn, Marriott, Sony, Under Armour and Vodafone. In some cases, these companies have suffered more than one massive data breach, which is why the data set includes 33 different breach events.
Once the proper data set was assembled, that’s when the researchers could look at various time periods of stock market performance. For example, how severe was the immediate aftermath of the public disclosure of a data breach? Most people might assume that Wall Street investors immediately swoop in and punish companies by lopping off tens of millions of dollars in stock market valuation. However, as we’ve seen in the case of Facebook, even events that some might assume would move the market significantly – such as the FTC imposing a $5 billion fine on the company for its data privacy violations – is often not nearly as impactful as assumed.
For the purposes of stock market performance evaluation, the researchers decided to use the stock market performance of the NASDAQ as a benchmark. Thus, if the stock price of a company falls 1% in the aftermath of a data breach, and the overall value of the NASDAQ increases by 2% in that same period, then the researchers said that the data breach company underperformed the stock market by 3%. This is an important aspect to consider, because investors often keep in mind the overall context of the market when deciding where to invest. They are much more likely to punish “laggards” that fail to keep up with the overall market, and may be more forgiving of a data breach if the entire market is moving sideways or down. In short, context matters.
Stock market performance in the short- and long-run
Putting it all together, the 2019 Comparitech study looked at relative stock market performance over a variety of time intervals after a major data breach: 14 days, 30 days, 6 months, 1 year, 2 years and 3 years. In general, the researchers found, the impact of a data breach diminishes over time. This makes intuitive sense, since news of a data breach will fade from memory over time, and companies will be taking investor-friendly mitigation or remediation steps (e.g. firing top executives, installing new IT systems, beefing up internal security) to address the original data breach.
Generally speaking, the peak danger period – the time period when investors are most skittish and most likely to dump shares in a company – is the 14-day period after the public announcement of the data breach. During this time period, some nervous investors might decide to dump shares of the company in panic selling, and other investors who otherwise might have decided to buy shares in the company are now staying away. In layman’s terms, the company is too hot to handle. On average, share prices fell by 7.27% in that 14-day period and underperformed the NASDAQ by 4.18%.
Over a 30-day period, though, share prices tended to rebound and often caught up to overall NASDAQ performance. By this time, presumably, investors have decided that a massive data breach might not actually be as severe as once thought. Six months after a data breach, companies started to perform better than they did in the six-month period before the data breach. Over a 1-year period, share prices underperformed the NASDAQ market by 6.49%. Over a 3-year period, share prices underperformed the NASDAQ market by 13.27%. These results are similar to the results from 2018, when share prices also underperformed the NASDAQ over one-year, two-year and three-year intervals.
Factors impacting stock market performance after a data breach
Another important point to keep in mind is that there is not a direct correlation between the size of the data breach and the size of the stock market correction. In other words, a massive data breach impacting 100 million customer records will not be 10 times as bad, from a stock market perspective, as a data breach impacting 10 million customer records.
Instead, the researchers found, there were two other factors that were much more tightly correlated with stock market performance in the aftermath of a data breach – industry or sector of the company, and the type of data compromised. For example, the biggest impact of a data breach is on financial services and payment companies, while a much more muted impact is on healthcare companies. And, as might be expected, data breaches that leak highly sensitive customer data (e.g. credit card and Social Security numbers) are punished much more swiftly by investors than other forms of data breaches.
The dangers of data breach fatigue
In addition to Comparitech, other researchers have also attempted to model the link between data breaches and stock market performance. For example, Bitglass looked at “monster breaches” at companies such as Equifax and Marriott and found that stock prices eventually recovered. On average, shares fell by 7.5% in the aftermath of a data breach. However, 46 days later, share prices had returned to pre-breach levels. While shares may still be underperforming the overall market, it’s not like a data breach is a “death sentence” for a publicly traded corporation.
As breaches proliferate, there is the potential danger of data breach fatigue. Researchers have found, for example, data breaches in the period before 2012 tended to be followed by severe investor responses, as panicked investors dumped shares in the company. In the period after 2012, however, the response has been much less severe. This could reflect the fact that data breaches have become so commonplace that even the public disclosure of a massive breach is viewed as “business as usual” by investors. That might help to explain why even massive data breaches at a data-centric company like Facebook can sometimes be followed by the share price increasing, not decreasing, in value. If so, that’s a real danger. It means that even the implied threat of weak stock market performance might not be enough to keep executives at top companies focused on safe data privacy practices.