Cyberattacks are on the rise, with over 1,000 data breaches occurring at U.S. organizations in 2016 alone, most often through hacking or external theft. And it isn’t only violated firms that are hurt by these incidents. Studying hundreds of data breaches, our research has found that they create significant ripples that affect other companies in the industry.
Our research shows that sometimes a breach creates spillover, where investors perceive a guilt-by-association effect that harms the breached firm’s close rivals. For an example of competitor harm due to these spillover effects, consider the July 2012 Nvidia data breach, which affected 400,000 user accounts. Its rival Advanced Micro Devices (AMD) lost about $48 million on the event day (-1.4% drop in stock price) from the spillover effects of Nvidia’s breach, controlling for overall market effects. That is, when removing from our analyses all other events that could have influenced AMD’s stock drop, such as dividend declarations, contract signings, earnings information, or mergers and acquisitions, we find that clear and significant harm occurred from Nvidia’s data breach.
In fact, the spillover effects across our sample evidenced a drop in stock price that averaged more than $8 million in losses for rival firms where no such data breach occurred. Our results show the financial hit to these rivals’ stock prices can be detected for several days after the data breach before eventually stabilizing.
Yet a breach can sometimes help a close rival, creating beneficial competitive effects. Consider the massive Anthem data breach in February 2015, which affected as many as 80 million customers. The high severity of this breach led rival Aetna to gain about $745 million (2.2% increase in stock prices) on the event day due to competitive effects, again controlling for overall market effects. In this situation, a data breach of this scale makes investors worry about customers mass defecting to competitors, thus providing a positive boost to a close competitor’s stock price.
Our research shows that the severity of, or number of customers affected by, a breach is a key to understanding whether close rivals will be harmed or helped by their competitor’s bad fortune. As the number of customers harmed by the breach increases, stock market effects for the firm’s rivals go from negative to positive, as competitive effects become more dominant. This suggests that smaller breaches signal that others in the industry may also be vulnerable to hacking. However, large data breaches create the impression that the breached firm is in a unique amount of trouble. Our research shows that in large data breaches, customers increasingly desire to leave the breached firm. Expected switching behavior ultimately benefits the breached firm’s competitors, as captured in their stock returns.
The good news is that firms are not powerless against these data breach effects. There are actionable strategies they can use to protect or inoculate themselves from their own or a rival’s breach. Using studies querying hundreds of customers that we recruited on Amazon Mechanical Turk, coupled with stock data analysis of hundreds of companies over the past decade, our research finds that firms can protect themselves from data breach harm by implementing two important privacy-focused practices that benefit customers.
First, they can clearly explain to customers how they are using and sharing their data. Transparent privacy practices tell customers what specific information companies capture and how they use it (for example, IP address, search history, promotions, information being sold to third parties). Second, firms can give customers ample control over the use and sharing of their data. Control is endowed through giving customer opportunities to opt out of the firm’s data practices (promotions, sharing with partners, selling). Together, these measures were perceived to effectively empower customers, giving them greater knowledge and the ability to have a say in business practices.
Why Study Privacy Policies?
When a firm had transparent privacy practices, customers in our studies felt they had the knowledge to make an informed decision about sharing their personal data. When a firm’s privacy practices offered control, customers knew they had the ability to change their preferences about what and how they share their information. In our studies, customers did not punish breached firms that provided both transparency and control. Empowered customers are more willing to share information and are more forgiving of data privacy breaches, remaining loyal after the fact, as we learned. Customers of firms that offer high transparency and control reported feeling less violated from big data practices, attested to being more trusting, provided more-accurate data to the firm, and were more likely to generate positive word of mouth.
Firms high on these two dimensions also were buffered from stock price damage during data breaches, either their own or rivals’. Yet only about 10% of Fortune 500 firms fit this profile.
To study how a firm implements practices that provide transparency and control, we needed to look at the documented ways in which companies explain their approach to customer data privacy. By studying their use of transparency and control in their privacy policies, we wanted to understand how protected Fortune 100 firms were from the negative effects of data breaches. Our research team combed the privacy policies of all Fortune 100 firms to gain insights.
Our findings show that some firms provide high levels of data transparency and control, and would be protected from data breaches. (See our ranking in the exhibit “How Good Are the Fortune 100’s Privacy Policies?”) Top-ranked firms such as Costco, Verizon, and HP would be shielded from spillover effects were a close competitor to experience a data breach. These firms clearly convey what information they capture and how they capture it, while offering their customers substantial control or say in that information’s sharing and use.
On the other end of the ranking are firms such as Citigroup, Morgan Stanley, and HCA. In 2011 Citigroup experienced a data breach of 146,000 customer records and suffered a $1.3 billion stock value loss. According to our analysis, if Citigroup had embraced practices of high transparency and high control, it would have suffered a loss of only about $16 million in stock value. That is, Citigroup might have saved about $820 million had it simply offered its customers high transparency and control. In response to this breach, Citigroup spent $250 million on cybersecurity systems and hired an additional 1,000 IT professionals. Yet our coding of its practices reveals that, as recently as 2016, Citi still was not providing high levels of transparency and control. Thus, while its enhanced IT safeguards may be sound, our research shows the company remains at risk should a competitor suffer a breach.
Company Ranking Methodology
We created transparency and control variables with procedures that employed a mix of automation and manual coding of companies’ actual privacy policies.
Specifically, for the textual coding procedure, we employed two research assistants who were blind to the study hypothesis. Prior to coding the privacy policies, the two research assistants were independently trained on a sample of privacy policies (that were not part of the final sample) to use the coding scheme. One of the authors checked to ensure the research assistants understood the coding scheme. After obtaining all the privacy policies, each research assistant independently coded them. Finally, after all the privacy policies were coded, the interrater agreement between the two research assistants was greater than 85%, and all disagreements were resolved through discussion with the first author.
To create our rankings, we compiled the summed scores of transparency and control for all firms. Rankings were achieved by summing the combined transparency and control scores. It follows that some firms had identical scores on both dimensions, and in such cases they appear according to alphabetical order in the ranking.
Looking across the rankings, other firms appear to offer one of these aspects to customers. For example, some firms provide transparency, but fail to give customers the ability to act on this information (low control). In our research, this approach was poorly received by customers.
Finally, firms that neither tell customers how they use their data nor offer any control are at the greatest risk of financial harm. Our privacy analysis showed that an overwhelming 80% of Fortune 500 firms fall into this category. In our study, firms that failed to explain their data privacy practices had a 1.5 times larger drop in stock price than firms with high transparency, while firms that provided customers high control had no significant change in their stock price after a data breach.
Ultimately, firms can use data privacy practices to protect themselves from the spillover effects of competitors’ privacy failures, but their efforts to do so need to be meaningful. They must clearly explain to customers the ways in which they will access, use, share, and protect customer information, and it must go hand in hand with giving customers control over these data uses. Failure to do so leaves a firm susceptible to risk from multiple harms.
Editor’s note: Every ranking or index is just one way to analyze and compare companies or places, based on a specific methodology and data set. At HBR, we believe that a well-designed index can provide useful insights, even though by definition it is a snapshot of a bigger picture. We always urge you to read the methodology carefully.