Companies that suffered data breaches underperform in the stock market long-term, dropping 3.7% in the NASDAQ a year after the breach, according to a Comparitech report. The trend continued after three years despite the average share price rising almost 30% in that same time. The companies used for research include Apple, eBay, Equifax, Target, Under Armour and Home Depot, among others. The study was limited to companies that had a breach of at least one million records, were publicly listed on NYSE at time of the disclosure and announced the breach to the public.
About 14 market days after the breach, "share prices of breached companies hit a low point" and fell an average of 2.89%, according to the report. It takes about a month for share prices to rebound following initial disclosure.
Breaches that included payment information had the largest impact on stock performance. The health industry suffered the least from breaches while finance and payment-related companies saw the largest drop in share prices.
Within a three month period last year Equifax, Yahoo and Uber disclosed the severity of breaches they encountered. In August, T-Mobile discovered a breach of its own impacting 3% of it 77 million customers. With the regular frequency of data breaches, industry has become jaded to their impacts.
The aftermath of a breach puts a lot of strain on a company's ability to market itself as trustworthy. While there is not much of an initial impact on stocks, a company's vitality is reliant on customer perception. Marketing departments are increasingly tasked with highlighting a company's ethics above their goods or services, as seen in Uber's recent commercials.
Congress is increasing its involvement in cases where companies leave customer records including names, addresses, social security numbers or driver's licenses exposed to potentially bad actors. A form of accountability, in a the legal sense, is a strong enough reason for companies to be more diligent about their security practices.
As privacy legislation makes its way around state governments, companies will have no choice but to regain their hold on breach protection, even if cyber-related breaches decreased in 2018.