Is There a Cost to Privacy Breaches? An Event Study

Authors

Alessandro Acquisti, Carnegie Mellon University
Allan Friedman, Harvard University
Rahul Telang, Carnegie Mellon University

Abstract

While the infosec economics literature has begun to investigate the stock market impact of security breaches and vulnerability announcements, little more than anecdotal evidence exists on effects of privacy breaches. In this paper we present the first comprehensive analysis of the impact of a company’s privacy incidents on its market value. We compile a broad data set of instances of exposure of personal information from a failure of some security mechanism (hacking, stolen or lost equipment, poor process, and others) and we present the results of various empirical analyses, including event study analysis. We show that there exists a negative and statistically significant impact of data breaches on a company’s market value on the announcement day for the breach. The cumulative effect increases in magnitudes over day following the breach announcement, but then decreases and loses statistical significance. We also present regression analyses that aim at disentangling the effects of a number of factors on abnormal stock returns due to reported breaches. Finally, we comment on the differences between the impact of the security breaches already described in the literature, and the privacy breaches described here.

Recommended Citation

Acquisti, Alessandro; Friedman, Allan; and Telang, Rahul, "Is There a Cost to Privacy Breaches? An Event Study" (2006). ICIS 2006 Proceedings. 94.
https://aisel.aisnet.org/icis2006/94