Large companies do not have an economic incentive to prevent privacy breaches occurring, according to researchers from Harvard and Carnegie Mellon Universities this week.
The researchers studied 78 breaches from 2000 to 2006 in publicly traded companies, and looked at whether there was any major change in the stock price. Overall, stock dipped sharply on the first and second days after a breach was revealed, but started to climb on the third, and eventually reached pre-breach levels.
On average, companies had just under $10m (£5.5m) wiped from their stock price over the two days after the breach, leading the researchers to question whether there was any economic reason in terms of share price for companies to implement measures to stop privacy breaches.
"The potential costs for the company in terms of share price may not be enough of an incentive. Should companies care?" asked researcher Allan Friedman, who appeared at the Workshop on the Economics of Information Security at the University of Cambridge on Wednesday.
If companies have to implement privacy procedures, hire lawyers to ensure compliance and track backup tapes, it may cost more to prevent privacy breaches than ensure they don't happen, Friedman told ZDNet UK.
Recently, there has been a proliferation of customer privacy breaches, where confidential customer information is leaked through lost or stolen equipment, hacking, or insider attacks. It can often lead to identity theft. ChoicePoint, Time Warner, Ernst and Young, Medical Excess and UPS are all examples of companies whose sensitive customer information was exposed through such incidents.
Both Friedman and fellow researcher Alessandro Acquisti stressed that companies need to consider other possible fallout from privacy breaches aside from the minimal effect on share price.
"There could be [contractual] liabilities, fines, loss of reputation, loss of sales and loss of partnerships," said Acquisti.
The researchers said that it was difficult to take into account all these factors when calculating the total economic damage to a company compared with the cost of trying to guard against privacy breaches, because of the difficulties of measuring the effect of loss of reputation.
"It's a harder case to show the total expected value [of preventing privacy breaches] is negative," added Friedman.
Security experts from encryption vendor PGP Corporation agreed that it would be difficult to measure the overall effect of privacy breaches on a company.
"It's very hard to measure how much it loosens up customers," said Jon Callas, chief technical officer for PGP Corporation. "Some say 'I'll leave immediately', some don't. It's hard to establish how this leads to loss of revenue."
Callas also argued that preventing security breaches can be relatively inexpensive.
"For example, if someone loses a laptop containing sensitive information. Having encryption on that laptop would have stopped the breach, as would deploying encryption throughout the company in backup procedures, tapes and storage. If everything is encrypted properly you don't have to worry if a tape is lost," Callas claimed.
Talkback
Sigh. The 'encryption' solves everything sales talk again. If 'encryption' is really such a total solution for everything then I'm sure your 'encryption' supplier wouldn't mind signing a little contract that states then whenever your administration reveals an 'encryption' breach the 'encryption' supplier will pay out up front, no questions asked, $1,000,000,000.00 per occurance.
What? They don't? Wow, very sure of themselves, aren't they? It's OK to put your assets on the line, but theirs? Excuse me, but talking the talk doesn't mean anything to me if you don't walk the walk. Put your money where your mouth is, it's as simple as that.
What kind of stupid question is "Should companies care about privacy breaches?" Of course they should, just like factories in the 1890s should have cared about 10-year old workers losing arms in machines.
The problem is that neither laws nor insurance companies financially compel them to do so. As long as we lack any meaningful privacy laws and politicians keep getting paid to keep it that way, the situation is unlikely to change.
And indeed, encryption is not a 100% solution. You can use a trivial algorithm or use a good algorithm badly. However, using even something like PGP to encrypt the data raises the bar high enough as to make cracking it technically infeasible for all but the most committed criminals, you know, the ones with PhDs in Mathematics and an army of Crays at their disposal. Certainly it would make it harder than many companies' current state of the art, which is to leave the data in the cleartext on a laptop computer in a car.
I'm very curious as to whether the data would be the same for 2005-2006, when there has been much more attention focused on these issues. 2000 was the prehistoric era for security breaches, in terms of identity theft risk, media attention, regulatory requirements, etc. I think risks and costs for companies are much more significant today. Whehter that translates to stock price, I don't know.