Any Publicity is Good Publicity? Data Breaches and Firm Reputation

Corporate data breaches have risen over the past 15 years,¹ with spectacular mega-breaches increasingly frequent and common.² However, it is not clear how these breaches exact an economic consequence on the affected firms,³ aside from legal costs in the aftermath. Economic research has produced ambiguous estimates of how data breaches affect these firms’ share prices.⁴ One might even infer that based on shareholder response (or lack thereof), capital markets care little about corporate data protection.

Original research presented here shows how publicly reported data breaches can actually improve the reputations of firms.⁵ Looking at a sample of 43 firms, brand power and familiarity actually increase by 13 to 22 percent following an average-sized data breach. However, the costs appear to go up with the size of the breach. Indeed, in the aftermath of 11 of the largest data breaches assessed, brand power and familiarity decrease by 14 to 18 percent.

The Research

The economics research community is only in the early stages of understanding the effect of data breaches and malicious cyber incidents on shareholder value. But the implications are significant for regulatory policy. If companies do not suffer consequences for cyber incidents, then they will have no reason to make more than a minimal investment to protect the data of their stakeholders (customers, employees, suppliers, et cetera). At present, publicly held companies do not appear to pay a steep price.⁶

The methodology for this research consists of several layers. First, it draws from related literature on the economic effects of information technology and security investments on firm value.⁷ Next, to understand how publicly reported data breaches affect firm reputation, this research utilizes the CoreBrand Index from Tenet Partners, which measures several dimensions of a company’s reputation at a quarterly frequency across 1,000 companies since 2001 (and annually since 1990). The CoreBrand Index is constructed from survey responses among business executives (i.e., the level of vice president and above) across major corporations to assess a combination of “familiarity” and “favorability,” where favorability is a function of “overall reputation,” “perception of management,” and “investment potential” ratings. Overall, the index captures sentiment among informed individuals in the marketplace about specific companies.⁸

This research focuses on two specific inputs of the CoreBrand Index – brand power and familiarity – before and after a data breach. To account for the possibility that a firm may experience a data breach when its reputation is already performing poorly – for example, if a company experiences a decline for other reasons and has fewer resources to devote to information security – firm performance (e.g., revenue) is included as a control. Drawing data from a cohort of publicly traded companies and controlling for firm revenue, employment, and capital, this research finds that brand power and familiarity increase by 22 percent and 13 percent, respectively, following a data breach.

These increases, rather than decreases, in firm reputation following a data breach may seem counterintuitive given the conventional view that negative publicity hurts brand value and firm performance. But the evidence shows that negative publicity can have positive effects.⁹ For example, negative press can actually elevate a firm’s public profile if it is not well-known.¹⁰ This is consistent with the old adage, “any publicity is good publicity.” Less visible brands can garner positive publicity, even if some of the media coverage is negative.

However, data breaches have a tipping point. When restricting the sample to the largest and most spectacular data breaches, brand power declines by 17 percent and familiarity declines by 16 percent. These estimates are consistent even after controlling for the usual characteristics of a firm, such as employment or revenue. Moreover, when focusing on firms with a larger public profile, there is an even greater decline of 26 percent and 18 percent in brand power and familiarity, respectively. This would indicate that better-known brands are more sensitive to positive and negative media.

Conclusion and Policy Recommendations

Although data breaches have become more common, businesses are not always making the necessary cybersecurity investments to keep pace with the growing danger. While many publicly traded companies are exposed to significant cyber risk,¹¹ firms may choose to under-invest in their security infrastructure if the economic consequences are not severe.¹² Admittedly, more research is needed, particularly to expand the sample. Still, judging from this sample of large, publicly traded firms, initial assessments show that data breaches do not result in reputational damage. Instead, there are often positive effects arising from media exposure and familiarity.

But the absence of economic consequences has a potentially deleterious effect. Companies have few incentives to invest in cybersecurity. This means more data is at risk. The following recommendations should therefore be considered:

1. Create a national and harmonized data breach notification law. While nearly all states now have their own version of data breach notification laws, they may differ in meaningful ways. Because publicly traded companies often operate in some capacity across all U.S. states and territories, the lack of a clear and unified national standard creates uncertainty and fragmentation. This may prevent cybersecurity investments that may otherwise be undertaken. The federal government could establish a minimum standard that individual states could potentially enhance if they so choose, allowing for federalism to prevail. This suggestion parallels the recommendation by the congressionally chartered Cyberspace Solarium Commission to create a national breach notification law that supersedes all existing state and local laws.¹³
2. Enhance procurement policies for federal contractors and defense companies. The federal government has significant purchasing power, which it can leverage to improve cybersecurity best practices in the private sector by requiring contractors to maintain a baseline of cybersecurity precautions and performance. While the government should not be in the business of micro-managing, it is reasonable to set performance standards, particularly with defense companies, to ensure improvements across the contractor community. Since supply chains are inherently interconnected, a change in policy for defense companies could generate important ripple effects across other industries.
3. Maintain a secure national database of malicious cyber incidents for research. While several existing databases track data breaches and other malicious cyber incidents, the data are insufficient for serious research that can benefit U.S. businesses. Current data either omit firm names or overlook certain malicious cyber incidents, making it tough to build predictive models that relate malicious attacks with financial outcomes. The National Cyber Investigative Joint Task Force already has a strong record in working to “coordinate, integrate, and share information to support cyber threat investigations, supply and support intelligence analysis for community decision-makers, and provide value to other ongoing efforts in the fight against the cyber threat to the nation.”¹⁴ This successful interagency structure could provide a model for securely sharing data on malicious cyber incidents, including granular information about both the exposed firm and the attacker.¹⁵

The trendline of corporate breaches indicates that the problem is likely to grow worse. But the limited or even positive impact of breaches suggests that companies may not be sufficiently motivated to protect their data. These recommendations can help guide the private sector toward a safer future and allow the federal and state governments to lead the way.

Christos Makridis is a visiting fellow at the Foundation for Defense of Democracies (FDD), where he contributes to FDD’s Center on Cyber and Technology Innovation (CCTI). He is a research professor at Arizona State University and a non-resident fellow at MIT Sloan’s Initiative on the Digital Economy and Harvard Kennedy School’s Cyber Security Project. For more analysis from Christos and CCTI, please subscribe HERE. Follow Christos on Twitter @camakridis. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.