Should companies care about privacy breaches?

Large companies do not have an economic incentive to prevent privacy breaches occurring, according to researchers from Harvard and Carnegie Mellon Universities this week.

The researchers studied 78 breaches from 2000 to 2006 in publicly traded companies, and looked at whether there was any major change in the stock price. Overall, stock dipped sharply on the first and second days after a breach was revealed, but started to climb on the third, and eventually reached pre-breach levels.

On average, companies had just under $10m (£5.5m) wiped from their stock price over the two days after the breach, leading the researchers to question whether there was any economic reason in terms of share price for companies to implement measures to stop privacy breaches.

"The potential costs for the company in terms of share price may not be enough of an incentive. Should companies care?" asked researcher Allan Friedman, who appeared at the Workshop on the Economics of Information Security at the University of Cambridge on Wednesday.

If companies have to implement privacy procedures, hire lawyers to ensure compliance and track backup tapes, it may cost more to prevent privacy breaches than ensure they don't happen, Friedman told ZDNet UK.

Recently, there has been a proliferation of customer privacy breaches, where confidential customer information is leaked through lost or stolen equipment, hacking, or insider attacks. It can often lead to identity theft. ChoicePoint, Time Warner, Ernst and Young, Medical Excess and UPS are all examples of companies whose sensitive customer information was exposed through such incidents.

Both Friedman and fellow researcher Alessandro Acquisti stressed that companies need to consider other possible fallout from privacy breaches aside from the minimal effect on share price.

"There could be [contractual] liabilities, fines, loss of reputation, loss of sales and loss of partnerships," said Acquisti.

The researchers said that it was difficult to take into account all these factors when calculating the total economic damage to a company compared with the cost of trying to guard against privacy breaches, because of the difficulties of measuring the effect of loss of reputation.

"It's a harder case to show the total expected value [of preventing privacy breaches] is negative," added Friedman.

Security experts from encryption vendor PGP Corporation agreed that it would be difficult to measure the overall effect of privacy breaches on a company.

"It's very hard to measure how much it loosens up customers," said Jon Callas, chief technical officer for PGP Corporation. "Some say 'I'll leave immediately', some don't. It's hard to establish how this leads to loss of revenue."

Callas also argued that preventing security breaches can be relatively inexpensive.

"For example, if someone loses a laptop containing sensitive information. Having encryption on that laptop would have stopped the breach, as would deploying encryption throughout the company in backup procedures, tapes and storage. If everything is encrypted properly you don't have to worry if a tape is lost," Callas claimed.