What is the actual financial impact of data breaches?
The impact of data breaches is most often measured in financial terms—how much money did the company lose?
While the immediate cost (incident response contractors, legal fees, fines, etc.) is easy to compute, the financial impact of lost customer trust and loyalty is more difficult to determine.
The most obvious place to look for help in making this determination, at least for publicly traded companies, is stock prices.
In a fascinating study from NYU Stern, Riazul Islam analyzed 92 public companies' stock prices in the aftermath of a data breach. In his paper, Islam determines that there isn't enough evidence to reject the null hypothesis that there is no correlation between stock price and the aftermath of a data breach. Nevertheless, Islam does note that breaches that “deeply affect the core business” are more likely to "experience a meaningful negative impact”.
What Islam doesn't analyze as a part of the study is the company's response to the data breach. We have shared before about the McKinsey study that found more people would trust a company that was hacked but responded quickly than people would trust a company that wasn't hacked to begin with. Arguably, the same preferences can be seen in stock prices.
Two examples come to mind: Home Depot and Equifax.
In 2014, Home Depot suffered a major data breach that affected 56 million card numbers and 53 million customer email addresses. Moreover, hackers were inside Home Depot's systems for months before third parties identified the problem and alerted the company.
Overall, the cost of fines, lawsuits, and recovery is estimated to be around $250M-$300M. However, Home Depot's stock prices barely dropped and were higher than ever within two weeks.
On the other side of the fence is Equifax. In 2017, Equifax lost the personal information of over 140 million Americans. Between lawsuits, internal security improvements, and insurance expenses, Equifax estimated a total cost of nearly $2 billion. Moreover, in the immediate aftermath of the breach, Equifax's stock prices tumbled 18%.
However, Home Depot's breach response was also very different to that of Equifax. While Home Depot made a public statement immediately, Equifax delayed. Where Home Depot was clear and apologetic, Equifax was vague and defensive. Where Home Depot provided detailed steps for customers, Equifax confused customers and made the situation worse.
And thus, where Home Depot maintained their stock prices, Equifax's plummeted.
Obviously, the primary goal is preventing a data breach in the first place. But, mistakes happen and hackers have all of the advantages in terms of time and resources.
Thus, it is also important to know how to handle a data breach if it does occur, so we can retain customer trust and loyalty like Home Depot and not lose it like Equifax.