Every other day there’s yet another security breach. Yahoo’s announcement that 500 million accounts had been compromised is the most recent, and largest, but even that can barely raise more than a yawn from investors. The reason, according to professors Shiva Rajgopal (Columbia Business School) and Suraj Srinivasan (Harvard Business School), is that a gaping chasm exists between the costs of security breaches and the amount a company’s investors must pay to remediate them.
In short, markets are failing to properly price security breaches, causing companies to grow lax in their security procedures.
Let Them Eat Cake
Back to Yahoo. Despite yielding a bonanza of names, dates of birth, hashed passwords (mostly bcrypt), and security questions and answers for 500 million customers, Yahoo hasn’t really faced much backlash. Sure, Verizon used the breach as a $1 billion bargaining chip in its planned acquisition of Yahoo, but the stock market barely registered the breach, sending Yahoo shares down just 3% the day after the announcement.
As Rajgopal and Srinivasan calculate, that drop works out to $1.2 billion, or 3% of Yahoo’s $40 billion market cap. That’s roughly equal to the amount by which Verizon is trying to lower its bid, but it’s also a tiny amount compared to how much it costs to fix a broken account. By Ponemon Institute estimates, it costs $221 to resolve each breached account.
Granted, much of this $221 will be covered by the insurance companies, but it still indicates a wide disparity between the cost (and bother) borne by a company and its customers, and may lead to those same companies taking a comparatively casual approach to security.
The Price Isn’t Right
If investors were made to bear the true costs of breaches, they’d flee the stocks of those companies that couldn’t get their security act together. This, in turn, would drive enterprises to invest in better security which, in turn, would benefit their customers.
Rajgopal and Srinivasan suggest that improved technology and other mechanisms could help limit the impact or incidence of data breaches, but the easiest solution to the problem is simply to find ways to make those investors more fully feel the financial burden of a breach. Until we do, companies will effectively keep passing the burden of breaches on to the people least able to bear them: You and me.