The June issue of Compliance and Ethics Professional has a brief but interesting article by Sally March titled Are you confident it’s confidential? One of the references in the article cites the Ponemon Institute report “Reputation Impact of a Data Breach”. This is an older report from 2011, but we can examine the findings and determine the accuracy of the claims.
The study surveyed 843 senior-level individuals with deep expertise and knowledge about their organization’s brand and reputation management objectives.
We asked individuals participating in our study to estimate the economic value of their organizations’ corporate brand or reputation. The responses ranged from a value of less than $1 million to more than $10 billion. Using an extrapolation method we determined the average value of reputation or brand image for the organizations participating in the study – which is estimated as $1.56 billion. Depending upon the type of information lost as a result of the breach, the average loss in the value of the brand ranged from $184 million to more than $332 million
The results are extrapolated which means they are estimated, but that will allow us to see if the persons surveyed were correct in their assumptions. Table 1. Calculus on the economic impact of reputation decline from data breach states that Diminished value resulting from a data breach of customer data is 21% while Diminished value resulting from a data breach of employee data is 12% while Diminished value resulting from a data breach of IP data is 18%.
Based on what we know in our previous studies of company valuation after a data breach these numbers do not sound correct which would mean that the impact is being overestimated. For our purposes we will look at equity performance since the data breach of several high profile companies with high profile data breaches. The change in consumer sentiment will be felt on the Income Statement which will be reflected through the stock price. We believe this is a more realistic way to determine economic impact as US markets are liquid and efficient.
Below are selected stock charts from TGT, HD, and SNE starting from the time their data breaches were reported in the news to the present day. We will also examine LL which experienced a dangerous consumer products scandal, broke by Case Capital Management that was aired on 60 Minutes to compare real world consumer harm vs. virtual consumer harm with regard to company performance.
We can distill the information provided by the stock charts down to the equity that was affected by the event, the stock price on the day of the event, the current stock price, and the change in value. As we can see the companies suffering from a consumer data breach experienced an average increase in value of 24%. While the company that experienced a real world hazard has decreased by 79%.
Equity | Day Of Event | Current Day | Change |
TGT | 63.76 | 78.03 | 22% |
HD | 91.15 | 117.5 | 29% |
SNE | 21.63 | 25.87 | 20% |
LL | 69.99 | 14.90 | 79% |
Conclusion: The estimates in the Ponemon report of a 21% decrease in economic value. We do not see this reflected in equity prices as valuations have increased since the event. We believe that the economic impact of consumer data breaches is overstated as consumer sentiment has not shifted to a degree that has an effect on earnings. It is likely that the personnel surveyed had overestimated the impact due to marketing material produced by the Information Security Industrial Complex. The impact to many corporations have been mitigated by Cyber Insurance (TGT, HD) or by CapEx and other cost reduction measures brought on by Shareholder Activists (SNE). Shareholder Activists and executives should reevaluate spending priorities in light of the current trends in equity performance after a data breach event.