IS THERE A COST TO PRIVACY BREACHES?
A
N EVENT STUDY
1
Alessandro Acquisti
Carnegie Mellon University
acquisti@andrew.cmu.edu
Allan Friedman
Harvard University
allan_friedman@ksgphd.harvard.edu
Rahul Telang
Carnegie Mellon University
rtelang@ andrew.cmu.edu
Twenty Seventh International Conference on Information Systems, Milwaukee 2006
and Workshop on the Economics of Information Security 2006
Pre-proceeding draft version
Abstract
While the literature on information security economics has begun to investigate the stock market impact of
security breaches and vulnerability announcements, little more than anecdotal evidence exists on the effects of
privacy breaches. In this paper we present the first comprehensive analysis of the impact of a company’s privacy
incidents on its market value. We compile a broad data set of instances of exposure of personal information due to
failures of some security mechanism (hacking, stolen or lost equipment, poor data handling processes, and others)
and we present the results of various empirical analyses, including event study analysis. We show that there exists a
negative and statistically significant impact of data breaches on a company’s market value on the announcement
day for the breach. The cumulative effect increases in magnitudes over the day following the breach announcement,
but then decreases and loses statistical significance. We also present regression analyses that aim at disentangling
the effects of a number of factors on abnormal stock returns due to reported breaches. Finally, we comment on the
differences between the impact of the security breaches already described in the literature, and the privacy breaches
described here.
Keywords: Privacy, Information Security, Economics, Finance, Event Studies
1
This research was supported by CMU Berkman Faculty Development Fund and by CMU CyLab. The authors
would like to thank Steve Frank, Jutta Williams, and Franklin Ho for their research assistantship, and participants to
workshops at ETRICS and WEIS for useful feedback.
