Investors don’t get the message

This research from Harvard and Carnegie Mellon universities shows that that large companies have no clear stock price-related incentive to prevent privacy breaches. Despite clear evidence of vulnerabilities that could seriously harm their interests, investors fail to give major quoted companies more than a mild slap on the wrist if their IT security is shown to be so lacking that there is a major breach of one or more privacy laws. After an initial dip, share prices quickly return to normal.

CIOs shouldn’t take this as a green light to reduce the cost of investment in protecting consumer privacy. The fact is that few institutional investors yet really understand the potentially very high direct and indirect costs of these breaches and so can’t yet make informed investment decisions.

As they become more knowledgeable (particularly with regulators becoming more determined around privacy), so the share price impact of a serious breach will become more dramatic and more prolonged. That, plus the possibility of SEC investigations and class-action suits, should be enough to keep CIOs and boards focused on their responsibilities around protecting personal information.