Breach

'Strategic News Bundling and Privacy Breach Disclosures' by Sebastien Gay considers

 how firms strategically bundle news reports to offset the negative effects of a privacy breach disclosure. Using a complete dataset of privacy breaches from 2005 to 2014, I find that firms experience a small and significant 0.27% decrease in their stock price on average following the breaking news disclosure of the privacy breach. But controlling for media coverage, this small decline is offset by an increase in the effect of a larger than usual number of positive news reports released by the firm on that day, which could increase the returns by 0.47% for every additional positive news report compared to their usual media coverage. I further find that disclosure laws have a significant and negative effect on the returns, even when news releases are used to alleviate the decrease. Moreover, a portfolio constructed with breached firms controlling for state disclosure laws outperforms the market over the 2007-2014 period, especially in the case of breached firms in mandatory disclosure states.

Gay comments

The development of online transactions and data aggregation storage for companies has increased the risk of privacy breaches in the past ten years. According to Privacy Rights Clearinghouse, in fact, there were more than 4,540 breaches reported over the period 2005- 2014, compared to less than 1,000 over 1995-2005. The increase is primarily due to the increased use, retention, and repackaging of data by companies.  

On February 4, 2015, Anthem, Inc., one of the largest health insurance companies in the United States, announced that 80 million customers’ and employees’ data were stolen. Critical information (social security numbers, names, and dates of birth) for the 80 million affected people was at risk of fraudulent use, making the Anthem breach one of the largest privacy breaches in history. During the next trading day, however, the Anthem stock barely went down from its closed value of $137.6 of the day prior to the brach announcement. The close price represented a decrease of 0.31%, in line with the overall market decrease. The Anthem stock was unaffected by this (random) event. This is one of many examples of data breaches that affected a large amount of customers and their highly personal and sensitive data but did not lead to a market sellout of the firm’s stock.  

This paper examines why stocks of breached firms do not seem to be significantly affected after reporting a privacy breach. I empirically show that firms counterbalance the effect of a privacy breach disclosure by bundling this negative and potentially costly release with more positive news reports to alleviate any expected decrease in stock value. I also find that firms tend to release the disclosure during a period when there are a smaller than usual amount of negative news reports. My analysis is reinforced by the fact that privacy breaches happen at random times for any given firm, but firms have some small leeway to time their disclosures. States have different laws regarding disclosures that can allow firms to announce the privacy breach event to customers or the state attorney general with different timeframes, usually between a day to up to two months after the firm discovers the breach. Moreover, privacy breaches are known to be indicative of negative news since they indicate that private information from customers or employees (or possibly both) has been stolen. Also, privacy breach disclosures, contrary to more frequent and pre-scheduled corporate disclosures, are good identifiable random events to test strategic (voluntary) disclosures by firms. Despite not all states requiring disclosures, firms may want to disclose a privacy breach to avoid developing a negative reputation.  

This empirical analysis answers two main questions using privacy breach disclosures: First, can firms counterbalance the negative effect of a privacy breach disclosure by strategically timing the release of more positive media coverage than usual? Second, do disclosure laws have a significant effect on the stock price of the firms that experience a privacy breach?

He concludes

This paper analyzes the effects of privacy breach disclosures and its potential bundling with positive news on that day on the stock market. My key finding is that firms manage to avoid the full negative effect of a privacy breach event disclosure by releasing on the same day an abnormal amount of positive news to the market. Specifically, I show that after the “breaking news” release of a privacy breach a large amount of positive news to the market tends to have a dominating effect. My results suggest that a larger abnormal amount of positive news on the day of the breach disclosure more than offsets the negative effect of the disclosure. These findings are consistent with the empirical behavioral literature where bad news reports are usually released to the market when investors are not paying attention. In my particular case of privacy breaches, investors are distracted by the negative news report on privacy breaches. I provide evidence that firms tend to release bundled news to the market to offset negative random events, potentially stocking good news. Contrary to planned news that firms prepare months in advance, most privacy breaches need to be disclosed within two months of discovery. I find that there exists a strategic bundling of news by firms around unexpected negative events. My interpretation focuses on the premise that firms are not entirely in control of a privacy breach release and will try to bundle positive news to be able to control the effect of the privacy breach disclosure on their stock.  

A trading strategy based on the mix of breaking news and disclosure laws outperforms the market. In essence, disclosure laws seem to punish breached firms, especially if the disclosure is reinforced by breaking news reports. It may be an indirect way for the FTC to ensure firms are setting the right standards of protection against privacy breaches.blockquote>