Quantifying the impact of data loss incidents on publicly-traded organizations

With the widespread adoption of electronic data collection and sharing technologies, data theft has gained prominence as a major problem. The convenience of services enabled by information technology is generally appreciated. However, improper handling of data can expose government agencies, corporate entities, and individuals to various forms of financial and identity fraud. Moreover, it is unclear if these risks are distributed among government, business, and private citizens. Given the complex technical nature of data theft and the lack of methods to systematically protect against such crime, it is natural that each of these stakeholders should seek to protect their own interests. This paper explores the hypothesis that increased investment in data security by the business sector may benefit both the company making the investment as well as their customers and clients. Toward this end, we applied statistical methods from the business research community on a historical database of data loss incidents to correlate the impact of data loss on the stock performance of publicly-traded organizations. Our results indicate that the negative impact of public disclosure of data loss is statistically significant. While the long term impacts such as decreased future sales resulting from a tarnished reputation are not addressed, our preliminary results suggest that businesses may seriously under invest in electronic data protection and that additional quantitative research is needed to help businesses identify an optimal level of investment in data security specific to the risk exposure posed by their online operations.