In the March 31, 2015 article, “Why Data Breaches Don’t Hurt Stock Prices,” the Harvard Business Journal discusses why stock prices may not be immediately impacted by a data breach at a company. The article discusses the fact that shareholders may be growing “numb” to data breaches and are beginning to just assume breaches are a cost of doing business.
In addition to growing numb, shareholders may also not be concerned about data breaches because there is a lack of a clear understanding of the damages caused by a data breach. Specifically, the article indicates that “[t]he long and mid-term effects of lost intellectual property, disclosure of sensitive data and loss of customer confidence may result in loss of market share, but these effects are difficult to quantify. Therefore, shareholders only react to breach news when it has direct impact on business operations, such as litigation charges (for example, in the case of Target) or results in immediate changes to a company’s expected profitability.”
The Harvard Business Journal also included a number of recent examples where a company’s data breach did not meaningfully impact the company’s stock price, including:
- Costs related to Home Depot’s data breach were estimated to exceed $62 million yet the company’s stock only decreased shortly after the breach and bounced back shortly thereafter; and
- After its breach, Target’s stock dropped 10%, “but by the end of February , Target had experienced the highest percentage stock price regain in five years.”
The article concludes that “[s]hareholders should look beyond short-term effects and examine the impact on other factors, such as overall security plans, profitability, cash flow, cost of capital, legal fees associated with the breach and potential changes in management.”
The potential for damage caused by a breach and how shareholders account for damages caused by a breach in a company’s stock price are two different questions. The authors of this article are careful in limiting their analysis to the immediate impact of a data breach on a company’s stock price. The article is not intended to address the potential damage a data breach can cause to a company. It also does not address the validity of shareholder derivative actions or actions by the SEC related to a company’s data security.