The Status of Recent Research Concerning Data Breaches and Reputational Risk

Nearly three years ago, Ken Belva wrote a paper intended to be a “starting point for further, positive discussion” regarding the topic of data breaches and reputational risk.  The title of the paper also presented Ken’s major theme:  “How It’s Difficult to Ruin a Good Name:  An Analysis of Reputational Risk.”

The paper analyzed trends associated with stock prices of several prominent retail and financial services corporations that had experienced well publicized data breaches.  Ken concluded that, for these organizations, the announcement of a breach was usually followed by a brief dip in the closing price of a company’s stock, quickly followed by a sustained rise.  Ken interpreted this counterintuitive finding as evidence that a data breach does not necessarily pose a reputational risk to an organization, as long as (1) there is no sustained pattern of similar breaches experienced by the company and (2) the organization’s primary business does not involve providing a service where information security is an integral element.  Polo Ralph Lauren and Citigroup-two of the companies discussed in Ken’s study-are not selling security as a major service; ChoicePoint, however, offers security controls as an essential feature of its product.

Ken’s thesis was validated when, in January 2007, TJX (the parent company for Marshall’s, TJ Maxx, and other retail establishments) announced the unauthorized disclosure of credit card data concerning millions of customers.  The breach was announced on January 17.  That day, TJX closed at $29.63, down .22 from the previous day.  On the next day, the stock fell an additional .13.  However, two days following the breach announcement, TJX shares closed at $30.03, a .40 rise since the announcement.

Post a Comment

Your email is never published nor shared. Required fields are marked *