Electronic copy available at: http://ssrn.com/abstract=1121172

The Effect of Data Breaches on Shareholder Wealth

Submitted By: Kevin M. Gatzlaff** Doctoral Candidate in Risk Management/Insurance College of Business Florida State University Tallahassee, FL 32306-1110 Phone: (850) 443-2026 Fax: (850) 644-4077 Email: kmg04k@fsu.edu

Kathleen A. McCullough, PhD

Associate Professor and State Farm Insurance Professor in Risk Management/Insurance College of Business Florida State University Tallahassee, FL 32306-1110 Phone: (850) 644-8358 Fax: (850) 644-4077 Email: kmccullough@cob.fsu.edu

September 2008 **Designated Contact Author

Electronic copy available at: http://ssrn.com/abstract=1121172

ABSTRACT

Many companies face the risk of a data breach exposing stored personal information of customers and employees. The frequency of such incidents has been increasing over time and can result in significant costs for the affected firm. This paper examines the stock market’s assessment of the cost of data breaches at publicly traded companies in which personal information such as customer and/or employee data is exposed. Using event study methodology on a sample of 77 events between the beginning of 2004 and the end of 2006, we find that the overall effect of a data breach on shareholder wealth is negative and statistically significant. Based on a cross-sectional analysis of the cumulative abnormal returns, we find a negative association between market reaction and firms that are less forthcoming about the details of the breach. We also find that firms with higher market-to-book ratios experience greater negative abnormal returns associated with a data breach. Further, we find that firm size and subsidiary status mitigate the negative effect of a data breach on the firm’s stock price and that the negative market reaction to a data breach is more significant in the most recent time periods of the sample. Keywords: data breach, shareholder wealth, event study, market efficiency JEL Classifications: C21, G14

1

INTRODUCTION1 Data breaches represent a significant risk for many companies that store personal information of customers and/or employees. If this information is accessed by an unauthorized party, identity theft or other fraud may result. The affected organization may face fines or other penalties, in addition to notification and security upgrade costs related to the breach. Further, companies may incur costs resulting from litigation stemming from the potential liability exposure. For these reasons, an examination of the stock market’s assessment of the costs of data breaches is warranted. One of the most significant events in the history of data breaches occurred at ChoicePoint. In February 2005, ChoicePoint, self-described as the “nation’s leading provider of identification and credential verification services” (ChoicePoint, 2006), disclosed that thieves had created false accounts for the purpose of obtaining personal information with which to commit identity theft and subsequent fraud. Initially, ChoicePoint estimated that the information of 140,000 people had been compromised, and at the time of the announcement, more than 700 documented instances of identity theft had already been directly linked to the data breach (Weber, 2005).

Since that time, the incidence of exposures that could lead to identity theft has noticeably increased. The Privacy Rights Clearinghouse, a non-profit consumer information and advocacy organization, estimates more than 440 instances of reported exposures to potential identity theft have occurred between the February 2005 ChoicePoint incident and December 2006 due to data breaches at corporations, universities, and government agencies. The organization further estimates that the number of records exposed in these breaches exceeds 100 million (Privacy Rights Clearinghouse, 2007).2 To date, only a few event studies have attempted to analyze privacy breaches and other similar occurrences. Potentially due to the diversity of events examined, these studies have failed to reach agreement on a variety of pertinent issues. Previous researchers disagree both on whether there is a discernable stock market response to security breaches as well as on which factors, if any, influence the magnitude and direction of the response. In this study, we focus solely on customer and/or employee data breaches at publicly traded firms. Our study also consists of a larger, more recent sample of events. This paper will contribute to the literature by 1) providing evidence regarding the effect of data breaches on shareholder wealth; and 2) providing insight into factors that influence the magnitude and direction of the stock market’s response to news of a breach of customer and/or employee data. The remainder of this paper is organized as follows: The following section provides some background information related to data breaches. A review of relevant literature is then

1 The authors would like to thank two anonymous reviewers for their comments on this paper along with James Carson, Cassandra Cole and participants at the 2006 Southern Risk and Insurance Association Meeting. 2 While the Privacy Right Clearinghouse has tracked data since February of 2005, our sample period begins in January of 2004.

2

provided, along with a discussion of our research motivation. We develop our hypotheses and describe our research methodology and data in the next section. Finally, we discuss our results, and provide concluding thoughts and avenues for future research.

BACKGROUND While the ChoicePoint incident was not the first instance of its kind, this particular data breach was unique because it occurred at a firm specifically involved in collecting, maintaining, and combining personal data. Additionally, the incident exposed a large number of records and attracted a great deal of media attention. Until this incident, data brokers had attracted relatively little federal regulatory attention with regard to the potential for identity theft. Further, only a few states, most notably California, had legislation in place mandating disclosure of such breaches. After the ChoicePoint incident, states began to more aggressively pursue legislation in this area. As of May 2008, 42 states had adopted legislation regarding protection of customer and/or employee data (National Conference of State Legislatures, 2008).3 While widespread regulation of consumer and employee data security was not common prior to the ChoicePoint incident in February 2005, some industries had already begun to confront the issue. For example, under the Gramm-Leach-Bliley Act (GLBA), financial institutions already faced specific obligations to protect personal data.4 The Health Information Portability and Accountability Act (HIPAA) also had already imposed data security obligations on health care providers and facilities prior to the 2005 ChoicePoint incident. Outside of these two categories (financial institutions and health care organizations), most entities did not have a specific, federally-legislated obligation to protect customer and/or employee data. However, in several instances, the Federal Trade Commission (FTC) has taken the position that failure to take reasonable steps to protect customer data is a violation of Section 5 of the Federal Trade Commission Act. Thus, by virtue of the FTC position and the growing number of states that have attempted to legislate disclosure of data breaches, virtually all firms that store customers’ and/or employees’ personal data are exposed to potential loss in the event of a data breach. Costs of Data Breaches Data breaches of customer and/or employee data impose significant costs on both individuals and firms. For example, breaches of customer and/or employee personal data can potentially expose individuals to credit card fraud. Most of the time, individuals are protected from fraudulent charges in excess of $50 in these instances, and some credit card companies will waive even this amount. However, data breaches and subsequent identity theft can expose an individual to significant personal costs even if immunity 3 Many of these states have moved to legislate mandatory disclosure requirements in the event of a data breach (Schwartz and Janger, 2007). 4 GLBA conferred powers upon the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Federal Savings and Loan Insurance Corporation, and other bank regulatory agencies to regulate data security. These agencies had issued two “Interagency Guidances” pursuant to GLBA, which required financial institutions to maintain reasonable data security and to develop a formal response plan in the event of a data breach (Schwartz and Janger, 2007).

3

from direct financial harm is guaranteed. The Identity Theft Resource Center in San Diego estimates that the average individual affected by identity theft spends $800 and 175 hours to repair the damage (Krause, 2006). More specific to the topic of this paper, the costs to firms experiencing data breaches can be substantial as well. In addition to increased operational expenses such as customer notification and credit monitoring services, there also may be a significant loss of business for the breached firm.5 Firms experiencing data breaches may be subject to lawsuits and fines, which represent yet another cost. In early 2006, ChoicePoint agreed to pay a $10 million fine, the largest ever levied by the Federal Trade Commission, as a result of its data breach. ChoicePoint also agreed to contribute $5 million to a fund to compensate affected individuals (Vijayan, 2006). In the most extensive data breach case to date, involving the infiltration of TJ Maxx’s customer records database, the total cost including notification, credit monitoring, and court settlements was estimated to be $256 million (Kerber, 2007). The potential for liability exposure and subsequent legal action associated with a data breach differentiates this paper from several previous event studies regarding the broader category of information security. We focus solely on events that resulted in exposures of consumers’ and/or employees’ personal data that could potentially lead to identity theft. To our knowledge, no sample has existed solely of these types of events. In this paper, we examine the stock market responses to data breaches in an attempt to quantify the effect of the above costs on shareholder wealth. We also conduct a cross-sectional analysis of the magnitude and direction of the stock market’s reaction to firms experiencing a data breach, to examine the impact of specific firm and breach characteristics on the market’s reaction. LITERATURE REVIEW/PREVIOUS FINDINGS Most of the relevant event study literature to date has focused on a much broader category of events classified as “security breaches”. In some cases, researchers have examined the stock market response to announcements of denial of service attacks (Hovav and D’Arcy, 2002), reports of computer viruses (Garg, Curtis, and Halper, 2003), and theft of proprietary data (Cavusoglu, Mishra, and Raghunathan, 2004, and Campbell, Gordon, Loeb, and Zhou, 2003). While these are significant events that could be expected to produce a stock market response, they differ substantially from the type of breach that we examine in this paper, particularly because they do not focus exclusively on events involving the potential exposure of customer and/or employee data. Additionally, most of the previous research has been limited by relatively small sample sizes. This combination of diversity of examined events and relatively small sample sizes potentially explains the considerable disagreement in the literature related to both the significance and magnitude of the stock market’s reaction to such events and factors

5 For example, CardSystems, a credit card processor whose customers’ information was accessed by computer hackers in 2005, faced non-renewal of contracts it had with major credit card brands after it was reported that the information of 40 million credit card holders was potentially exposed to identity theft (Bruno, 2005). As a result, the company was ultimately sold.

4

related to this response. Table 1 provides a summary of the key findings of referenced empirical work related to security breaches. On The Effect of Security Breaches on Shareholder Wealth Some of the research regarding security breaches has indeed concluded that the stock market response to news of a security breach is negative and significant. For example, Garg, Curtis, and Halper (2003) examine 22 events between 1996-2002 involving “information security incidents” which include not only instances where consumer data has been exposed, but also denial of service attacks, computer viruses, and theft of proprietary data. They find that the average abnormal return for these firms was -5.3% over the three days following the event. Similarly, Cavusoglu, Mishra, and Raghunathan (2004) find overall abnormal returns over a two-day window of -2.1% for 66 events between 1996-2001 where firms experienced “malicious attempts to interfere with a company’s business and its information.” Included in their classification are not only breaches of customers’ personal data, but also attacks on proprietary data or its integrity. On the other hand, some researchers contend that news of security incidents does not automatically portend a drop in the afflicted firm’s stock price. Hovav and D’Arcy (2003) examine 23 denial of service attack announcements between 1998 and 2002, and observed that the overall sample shows no statistically significant stock price response. They conclude that some firms may be overpaying to reduce this risk, since the effect on shareholder wealth for non-Internet firms is negligible. Campbell, Gordon, Loeb, and Zhou (2003) examine a broader class of security incidents with the same result.6 Ko and Dorantes (2006) use a matched-firm analysis to assess the difference between one-year subsequent financial performance of firms that have experienced an information security breach between 1997 and 2003 and similar firms that have not. They examine 19 firms that experienced unauthorized access to data. Ko and Dorantes find that in the following year, performance of the security-breached firms is not severely compromised, but in some measures, security-breached firms tend to lag those that have not experienced a breach. They cite these findings as “partial support” for their overall hypothesis that security-breached firms will underperform their peers. Examinations of Firm Characteristics Researchers also disagree on the factors that are likely to affect the magnitude and direction of the stock price response to news of a security incident. In some cases, researchers find a link between the stock market response and firm characteristics. Hovav and D’Arcy (2003) find that though their overall sample lacked a discernible stock market response, the effect of a denial of service attack was negative and significant for a subset of Internet-only firms. Similarly, Cavusoglu et al. (2004) find that security breaches at Internet firms are more strongly correlated with a negative stock price

6 Campbell et. al (2003) examine denial of service attacks, computer viruses, and unauthorized access to customer lists and/or credit card data.

5

response than breaches at conventional firms. They further find a mitigating effect of size on the stock price response. Examinations of Breach Characteristics Some researchers have examined characteristics of the event to attempt to explain the magnitude and direction of the stock price response to news of a security incident. Garg et al. (2003) find that the market reacts most severely to the theft of credit card information, although there were only four such events in their sample. They also find that the market reacts negatively to announcements of denial of service attacks and web site defacements (vandalism). Their conclusion is that the type of breach affects the stock market’s response. Similarly, Campbell et al.’s (2003) primary finding is that the nature of the breach can affect the associated stock market response; specifically, instances of unauthorized access to data are strongly and negatively associated with the stock market response. In contrast, Cavusoglu et al. (2004) find that instances of unauthorized access to data in their sample are not penalized more strongly than other instances of security breaches. They conclude that the nature of the breach is not a factor influencing the stock market’s response to the event. Table 1 Summary of Previous Research Findings

Researchers Findings Cavusoglu et. al (2004) 1. Breaches result in overall loss of 2.1% of value over two

days following event 2. Breach costs are higher for Internet firms 3. Costs not related to breach type 4. Breach costs increase over time 5. Negative correlation between size and stock market response.

Hovav and D’Arcy (2003) 1. Breach costs higher for Internet firms 2. No overall significant market impact for denial of service attacks

Garg et. al (2003) 1. Security attacks result in overall loss of 5.3% of value over 3-day event window 2. Internet security vendors experience positive returns of 10.3% over the same window when security attacks are reported 3. Property-casualty insurers experience a loss of 2.0% over the same window when security attacks are reported

Campbell et. al (2003) 1. Breaches result in no statistically significant loss for entire sample 2. Breaches involving unauthorized access to customer personal data or firm proprietary data result in an average loss of firm value of 5.5%

Examinations of Other Factors

6

Most previous researchers make mention of the rise of the Internet’s availability and popularity as a motivation for their examination. Of the research discussed here, only Cavusoglu et al. (2004) cross-sectionally examine the time period in which the breach occurred. They find that the more recent instances in their sample are associated with a stronger negative stock market response, which they attribute to investors’ changing perceptions of security breaches over time. Research Motivation Previous researchers have found conflicting evidence regarding whether specific breach and firm characteristics can impact the stock market response. Prior studies use relatively small samples, due in part to the relative paucity of events over the time frame from 1995-2003. We examine a three-year time period beginning January 1, 2004 and ending December 31, 2006. Our paper contributes to the literature in that it will focus solely on breaches of customers’ and/or employees’ personal data to reduce the potential for confounded results based on different types of breaches. This time period includes a significant number of breaches of customer and/or employee personal data. We analyze: 1) The effect of breaches of customer and/or employee data on shareholder wealth; 2) The impact of firm characteristics on the direction and magnitude of the stock price reaction to news of a breach of customer and/or employee data; 3) The impact of breach characteristics on the direction and magnitude of the stock price reaction to news of a breach of customer and/or employee data; 4) The impact of the firm’s response to the breach, and; 5) The effect of the passage of time on the direction and magnitude of the stock market’s reaction. To our knowledge, this will be the largest sample of events consisting exclusively of firms experiencing a breach of private consumer or employee data. HYPOTHESIS DEVELOPMENT The stock market response to a breach of personal consumer data is likely to result in one of two outcomes. First, the market may react negatively to news of a breach, as found in Cavusoglu et al.(2004) and Garg et al.(2003), indicating a recognition of the clear costs that breaches can generate. Second, there may be no significant stock market reaction to news of a data breach, as found by Hovav and D’arcy (2003) and Campbell et al.(2003). The lack of a significant stock market response may indicate that these events may have become so commonplace that their occurrence generates a negligible market response. Determinants of Cross-Sectional Variance The discussion in this section develops hypotheses to explain the magnitude and direction of the stock market response based on the relation of firm and breach characteristics to the cumulative abnormal returns of each breached company. The determinants of cross-

7

sectional variance of company’s abnormal returns can be classified into three categories: firm characteristics, breach characteristics, and one context-specific characteristic (time). The examined factors and expected relationships are displayed in Table 2. Firm characteristics. The first set of characteristics that may impact the magnitude and direction of the stock market’s response to news of a breach of customer and/or employee personal data is firm-specific. Firm type. A firm storing sensitive financial, medical, or personal data, like a financial institution, a health care provider, or a data broker, should experience a greater negative abnormal return resulting from a privacy breach than one that does not. To examine this relationship, we assign a dummy variable “HIGH_EXPECT” for each firm. The value is set to one if the firm falls under the jurisdiction of either the GLBA or the HIPAA, or if it would be reasonable to expect heightened data security from the breached firm.7 Firm response. In the initial news report detailing the data breach, firms have considerable latitude to respond. Most firms took advantage of this opportunity to control the damage by taking great pains to emphasize the remote possibility of identity theft as a result of the breach. However, some of the firms in the sample were considerably less forthcoming in their initial response to inquiries about their data breach. In an attempt to determine if the firm’s public comments about a data breach affect the stock market’s reaction, we assigned a value of one to a dummy variable “REFUSED_RESPONSE” if the news report reveals that the firm refused to answer direct questions about aspects of the data breach. Firm size. In the context of overall operations, a data breach represents a smaller piece of information for a large firm than for a small one. Consequently, one could expect that the magnitude of negative abnormal returns associated with the occurrence of a data breach to be smaller for larger firms, in line with the expectations and findings of Cavusoglu et al. (2004). On the other hand, a larger firm would have greater resources at risk from a liability exposure stemming from a data breach, so larger firms may experience larger negative abnormal returns associated with a data breach. Additionally, larger firms may be expected to take more security precautions with their customer and employee data and would have the resources to do so. A failure despite these heightened expectations for larger firms might result in a stronger negative stock market response to news of a breach. Also, larger firms may be subject to more media scrutiny of their data protection practices. In any of these circumstances, larger firms may experience larger negative abnormal returns associated with a data breach. We proxy the size of the firm with the variable “LNMKTCAP”, which is the natural log of the firms’ market capitalization from

7 There are four types of firms in our sample that might have heightened expectations of data security: financial institutions, medical providers, insurers, and data brokers. A summary of the breakdown of breaches in these categories is included in Table 3. As a robustness test, several different models were specified including each type coded separately and in various possible combinations. No alternate specification materially changed the results reported in Table 6. Results from the model with the categories of high expectation broken out can be found in Appendix C.

8

the Compustat database at the end of the calendar year prior to the occurrence of the breach.8 Incidence of multiple breaches at the firm. Over the time frame examined in our sample, there are several instances of firms experiencing multiple data breaches. If negative abnormal returns are greater for firms experiencing multiple breaches during the time frame examined in our sample, it may tend to suggest that investors react more strongly to firms that fail to take appropriate measures to further protect sensitive information. If, however, there is no difference in the market reaction for a repeat occurrence, it would tend to suggest that investors have already incorporated the risk of a future data breach into the firm’s stock price. We assign a dummy variable, “REPEAT”, which is assigned a value of 1 if the breach represents a known repeat occurrence, and zero otherwise9. Subsidiary status. Another firm-specific factor relates to the ownership status of the firm. For several events in the sample, the breached firm is a wholly-owned subsidiary. In these instances, we use the parent company’s stock price information to determine the effect of the data breach on shareholder wealth. We hypothesize that the negative abnormal returns for parent firms experiencing a breach at a subsidiary will be somewhat muted, since the parent company is one step removed from the breach. We assign a dummy variable, “SUBSIDIARY”, and assign a value of 1 if we analyze the parent company’s stock price, and zero otherwise. Growth opportunities. A final firm-specific factor relates to the growth opportunities of the firm, which can be proxied by the firm’s market-to-book ratio. We hypothesize that firms with higher growth opportunities will experience a greater negative market reaction to news of a data breach, as it will likely represent a setback in the achievement of already high growth expectations and/or force the firm to divert resources from growth opportunities and positive net present value projects to deal with the costs related to the data breach. Breach characteristics. We now turn to an analysis of some characteristics of the data breach itself that may influence the magnitude and direction of the stock market response to news of a breach of customer and/or employee data.

Type of breach. The variety of data breach incidents makes meaningful classification particularly challenging. In our sample, we have several different types of data breaches involving the exposure of customer and/or employee personal data. For example, the ChoicePoint incident involved thieves stealing data for the specific purpose of committing identity theft and subsequent fraud. Several other events in the sample involve a stolen laptop computer, where the intent may or may not have been to steal 8 Robustness tests included different specifications of firm size, using assets rather than market capitalization as a measure. These different specifications did not materially change the results reported in Table 6. 9 One limitation of our construction of this variable is that if the firm has had a breach prior to January 1, 2004, it may not be recognized as a “repeat” in our sample. For example, if a firm had a breach in 2003, and another in 2005, we would not recognize it as a repeat since it occurred before the start date of our sample.

9

personal data for the purpose of committing identity theft. Still other events involve data on laptops or backup tapes that are misplaced or lost, and the degree of exposure to identity theft is present but unknown. A further subsample of events does not correspond to any of the categories above, and the degree of exposure is completely unknown. For example, H&R Block accidentally sent out a mailing that had customers’ social security numbers on the printed label, available for anyone to see. However, it is unknown if any actual identity theft resulted from this incident, and even if it had, it would be extraordinarily difficult to identify this incident as the source. We create three dummy variables to classify these various types of data breaches, “ACTIVE”, “STOLEN”, and “LOST”. If it is clear from the description of the breach that the intent of the breach was to actively obtain personal data, we assign a value of 1 to “ACTIVE”, and a value of zero otherwise. If the breach involves a stolen computer or data tape and the intent of the thief is unclear, we assign a value of 1 to the variable “STOLEN”, and zero otherwise. If the breach involves a lost computer or backup tape, we assign a value of 1 to the variable “LOST”, and zero otherwise. If an event cannot be classified as described above, all three variables will have a value of zero.10 Breach size. The potential severity of the breach, and its attendant costs, are likely to be correlated with the number of records exposed.11 In our sample of events, where known, we use the natural logarithm of the number of records exposed in the breach to proxy for the size of the breach, scaled by the natural logarithm of the market capitalization of the firm. Where the number of exposed records is unknown, we use the natural logarithm of the mean number of records exposed for all other breaches in the sample to approximate the size of these breaches, again scaled by the market capitalization of the firm. 12 We call this variable LNPEOPLE_LNMKTCAP. Interaction terms. We expect that firms with a heightened expectation of data security would be strongly negatively affected by a successful attempt to steal data. Consequently, we include an interaction term in the model to capture this effect.13 Time Controls. Over the time period comprised by our sample, states began to implement legislation mandating disclosure of data breach incidents. This may lead to an increase in negative reaction over time as the costs of a data breach may have increased 10A breakdown of the breaches in each category is included in Table 3. In alternate specifications of the model, the active, stolen, and lost categories of breaches were combined and rearranged in several ways. The various combinations of firm type were used in different specifications of the model. None materially changed the results reported in Table 6. 11 Garg et al. (2003) find a positive relationship between the number of credit card records exposed and the magnitude of negative abnormal returns in a very small sample of four instances. 12 There are 23 events in the sample where the number of records exposed is unknown. Omitting the variable measuring the number of records exposed does not materially change the results reported in Table 6. As an alternate method, we separate firms into quintiles by market capitalization, and use the mean breach size for known events to proxy for the events with unknown breach sizes within the quintile. When we include the projected breach size this way, results are not materially changed from those reported in Table 6. 13 We examine several interaction terms that are not shown. None of these variables were statistically significant, and their inclusion did not change reported results. See Appendix B for details.

10

Table 2 Posited Relation of Independent Variables and Cumulative Abnormal Returns Firm Characteristics

Variable14 Expected Sign15

Definition

HIGH_EXPECT - A dummy variable equal to 1 if the firm primarily involved in the data breach is an institution expected to adhere to a higher level of data security, such as one subject to the requirements regarding data security established under the authority of GLBA or HIPAA, or a data warehousing firm, and 0 otherwise.

REFUSED_RESPONSE - A dummy variable equal to 1 if the firm refused to answer questions about the data breach in the initial news report, and 0 otherwise.

LNMKTCAP +/- The natural logarithm of the market capitalization of the firm obtained from the Compustat database at the end of the calendar year prior to the breach, as a proxy for size.

REPEAT -/N.S. A dummy variable equal to 1 if the firm has experienced a data breach prior to the current instance, but subsequent to January 1, 2004 and 0 otherwise.

SUBSIDIARY + A dummy variable equal to 1 if the firm whose data was potentially breached is a subsidiary of a publicly-traded firm, and 0 otherwise.

MKT_TO_BOOK - The firm’s market capitalization divided by its book value. Both values are taken from the Compustat database at the end of the year prior to the breach

Breach Characteristics Variable Expected

Sign Definition

ACTIVE - A dummy variable equal to 1 if it is evident in the description of the data breach that the intent of the breach was to steal personal data, and 0 otherwise.

STOLEN -/N.S. A dummy variable equal to 1 if the description of the data breach reveals that a laptop or other device on which customers’ or employees’ personal data is stored has been stolen and it is unknown whether the intent of the breach was to steal personal data, and 0 otherwise.

LOST -/N.S. A dummy variable equal to 1 if the description of the data breach reveals that a laptop or other device on which customer and/or employee personal data is stored has been lost or misplaced, and 0 otherwise.

LNPEOPLE_MKTCAP - The natural logarithm of the number of people’s records exposed by the data breach (if known), scaled by the natural log of the firm’s market capitalization, or, if the number of records is unknown, the natural log of the average breach size of the sample, scaled by the natural log of the firm’s market capitalization.

MONTH -/N.S. The month of the sample (1-36) in which the breach occurred

HIGH_EXPECT_X_ACTIVE - An interaction term multiplying the value of HIGH_EXPECT by the value of ACTIVE

14 Additional variables are included in some robustness tests. 15 N.S. stands for “no significance”.

11

with the passage of new legislation. Alternatively, if investors already factor in the risk of potential data breaches into security prices, one would expect no association between time and abnormal returns. Our sample consists of a three-year time period (36 months). We establish an independent variable “MONTH” indicating the month of the sample in which the breach occurred. If costs of data breaches have increased over time, we would expect a negative relationship between MONTH and the cumulative abnormal returns. Similarly, our sample can be classified into twelve quarterly periods. In this specification, a series of dummy variables is used to assign a value indicating in which quarter of the sample the data breach occurred. The first quarter of 2004 (QTR1) is excluded from the model as the holdout quarter.16 This model specification is included in Appendix A. Finally, separate portfolios of events can be constructed by quarter, and the cumulative abnormal returns of each of these portfolios can be compared. We do so in Appendix A as a robustness check to further identify changes in investors’ perceptions of the cost of data breaches over time. DATA AND RESEARCH METHODOLOGY In our analysis, we use an event study methodology to examine the cumulative abnormal returns over several event windows associated with breaches of customer and/or employee data. Our sample of data breaches is compiled by combining searches of the Lexis-Nexis database from January 1, 2004 to December 31, 2006 with a list compiled by the Privacy Rights Clearinghouse of more than 440 events occurring between February 15, 2005 (the date of the ChoicePoint incident) and December 2006.17 After screening out instances that occurred at government agencies, universities, and private companies, 90 instances of customer and/or employee data exposure at publicly traded companies were identified. To be included in the sample, a company had to have been listed in the CRSP database at the time of the breach. We searched the Lexis-Nexis database for confounding events during the two-week period surrounding the data breach, such as merger announcements, earnings announcements, and other major operational announcements, and deleted 12 events experiencing both a data breach and a confounding event. Finally, we eliminated one outlier event identified during the cross-sectional analysis by its vastly larger Cook’s distance, leaving a final sample of 77 events. Table 3 provides some information about the relative frequency of data breaches over the time period. It also presents some information about the frequency of data breaches by type of firm and about breach characteristics of the events in our sample.18

16 A breakdown of the number of breaches by quarter is included in Table 3. 17 Firm-level data included in the cross-sectional analysis come from the Compustat database. 18 Table 3 consists of 90 events. For descriptive purposes, the 12 confounded events (and one outlier) are still included.

12

Table 3 Descriptive Statistics of Analyzed Data Breaches Frequency of Data Breaches Over Time

Quarter 1 1 Quarter 7 4 Quarter 2 1 Quarter 8 7 Quarter 3 1 Quarter 9 10 Quarter 4 0 Quarter 10 15 Quarter 5 4 Quarter 11 20 Quarter 6 13 Quarter 12 14

Data Breaches by Type of Firm

Banks and Financial Services 28 Data Processors/Brokers 8

Medical Providers 6 Insurance Companies 5

Retailers 13 Other 30

Data Breaches by Type of Breach

Active 25 Stolen 36 Lost 15 Other 14

We use the standard event study methodology outlined in Brown and Warner (1985), where the returns for each company’s stock j (j = 1…, J) are estimated using the market model as follows:

Rjt = αj +β jRmt + ε jt (1)

Rjt and Rmt represent the returns of company j and of the market (measured by the value-weighted CRSP index), respectively, for day t.19 On the event date (t =0), ε jt represents the abnormal return (the difference between the actual return and the expected return generated by the estimation of the market model). The parameters of the market model are estimated using ordinary least squares (OLS) methods over the estimation window (-252, -7). This window begins one year prior to the event date, and ends seven trading days prior to the public announcement of the data

19 The use of the equally-weighted CRSP index or the S&P 500 index to proxy for the market does not materially change the results displayed in Table 5. Also, there is no material difference between the analysis of the 77 events reported here using the market model, and analysis using the Fama-French three-factor model. Results are available from the authors upon request.

13

breach. This process estimates what the stock’s return relative to the market would have been in the absence of a major event. After expected returns have been estimated, abnormal returns for company j on day t can be calculated as follows:

ARjt = Rjt - [α̂ j + β̂ jRmt ] (2)

To capture the full effect of a data breach, one might wish to consider cumulative abnormal returns over k days, as follows:

CARj(k) = ∑ ARjt k = 0, …, 6. (3) =

k

t 0

Considering cumulative abnormal returns over a multi-day event window allows us to examine and investigate the persistence of the stock market reaction to the news of a data breach. Ideally, in an efficient market, the window (0,0) should perfectly capture the stock market’s reaction to news of a data breach. However, since announcements of data breaches could occur at varying times during the day, the two-day event window (0,1) is expected to best capture the stock market response to news of a data breach. In our results, the difference between the two is slight. We present results related to selected event windows of up to 120 days in Table 5. Also included in Table 5 are event windows that begin prior to the event date, to test for information leakage. We see no strong evidence indicating that our results are contaminated by leakage, since only windows beginning with the event date are statistically significant at the one or five percent level. To better understand the factors potentially related to variation in the firm-level CARs, a cross-sectional analysis is created and the following model is estimated: CARj=α +β1(HIGH_EXPECT)+β2(REFUSED_RESPONSE)+β3(LNMKTCAP) +β4(REPEAT)+β5(SUBSIDIARY)+β6(MKT_TO_BOOK)+β7(ACTIVE)+β8(STOLEN)+β9(LOST) +β10(LNPEOPLE_LNMKTCAP) +β11(MONTH) +β12 (HIGH_EXPECT_X_ACTIVE) + ε j (4) Summary statistics are displayed in Table 4.

14

Table 4 Summary Statistics

Variable N Mean Std. Dev. Min Max MONTH 77 26.81 7.8618 1 36

HIGH_EXPECT 77 0.5065 0.5032 0 1 REFUSED_RESPONSE 77 0.0519 0.2234 0 1

LNMKTCAP 77 16.202 1.9122 11.231 19.317 REPEAT 77 0.1818 0.3882 0 1

SUBSIDIARY 77 0.0909 0.2894 0 1 ACTIVE 77 0.2468 0.4339 0 1 STOLEN 77 0.3766 0.4877 0 1

LOST 77 0.1948 0.3986 0 1 HIGH_EXPECT_X_ACTIVE 77 0.1039 0.3071 0 1

LNPEOPLE_LNMKTCAP 77 0.2017 0.7365 .00000063 4.7434 MKT_TO_BOOK 77 3.194 5.2073 -1.946 44.859

CAR over (0,1) 77 -0.0084 0.1811 -0.0877 0.0272 RESULTS Overall, we find that the impact of a data breach on shareholder wealth is negative and statistically significant at the .01 level. The mean cumulative abnormal return (CAR) for all 77 data breach events over the event window (0,1) is -0.84%. Results from the Patell Z test indicate that the effect persists with varying significance out to 40 days, after which market values appear to return to pre-breach levels. Table 5 shows the mean CARs for all 77 events for the event windows (0,0….0.180), along with several additional selected event windows. The table also shows the number of companies experiencing positive and negative CARs over the respective event windows. We can see that the number of negative returns outnumbers the number of positive returns in all tested event windows under 60 days and containing the event date, most strongly over the most immediate event window of (0,1). Since the Z-tests are negative and significant at the 5% level for all event windows (0,0) through (0,35), we reject the null hypothesis that a data breach has no effect on a breached firm’s stock price.20 The effect of a data breach may seem to be relatively small, even though it is statistically significant. However, the median value of market capitalization for firms in our sample is slightly more than $10 billion. Consequently, a two-day loss of 0.84% would correspond to a loss of $84 million in market value for the median-sized firm.

20 All windows beginning with the event date, including those not shown, are significant at the five percent level or better through day 35, as measured by the Patell Z test. Windows through day 39 are significant at the 10 percent level or better.

15

Table 5 Cumulative Abnormal Returns (CARs) by Selected Event Windows

Event Window

N Mean CARs

Positive:Negative Patell Z Generalized Sign Z

(-5,0) 77 -0.11% 37:40 -0.170 0.037 (-2,-1) 77 -0.17% 39:38 0.552 0.494 (-1,0) 77 -0.46% 31:46 -1.324* -1.331* (0,0) 77 -0.57% 25:52 -3.646*** -2.700***(0,1) 77 -0.84% 27:50 -3.887*** -2.244** (0,2) 77 -0.48% 30:47 -1.850** -1.560* (0,3) 77 -0.68% 34:43 -2.299** -0.647 (0,4) 77 -0.42% 34:43 -1.759** -0.647 (0,5) 77 -0.74% 33:44 -2.202** -0.875 (0,6) 77 -0.59% 34:43 -2.033** -0.647 (0,10) 77 -0.76% 36:41 -2.273** -0.191 (0,20) 77 -0.96% 34:43 -2.084** -0.647 (0,30) 77 -1.10% 35:42 -2.231** -0.419 (0,35) 77 -1.01% 33:44 -1.777** -0.875 (0,39) 77 -0.85% 33:44 -1.582* -0.875 (0,40) 77 -0.43% 36:41 -1.133 -0.191 (0,60) 77 0.78% 35:42 -0.290 -0.419 (0,180) 77 -2.48% 41:36 -1.203 0.950

Note: N refers to the number of events in the sample. Mean CARs is the average of all the cumulative abnormal returns in the sample. The number of events with positive CARs is compared to the number of events with negative CARs. The Patell Z-score is the test statistic for the null hypothesis that the CAR is not significantly different from zero. The symbols *, **, and *** indicate statistical significance at the .1, .05, and .01 levels, respectively. Cross-sectional Results We conduct a cross-sectional analysis to examine the potential relation of firm and breach characteristics to the magnitude and direction of the stock market response to news of a data breach at a publicly traded firm, as specified in equation 4. The results of the regression modeling the determinants of the stock market reaction to a data breach can be found in Table 6.21

21 Our analysis of pairwise correlations and variance inflation factors does not reveal evidence of multicollinearity. We correct for heteroskedasticity when estimating the regression model by using the Huber-White “sandwich” estimator of variance in computing standard errors.

16

Table 6 Cross-Sectional Analysis of Cumulative Abnormal Returns

Variable Estimate T-Statistic Probability Value INTERCEPT -0.0224 -1.19 0.238

HIGH_EXPECT -0.0020 -0.39 0.698 REFUSED_RESPONSE -0.0304 -4.09 -0.000***

LNMKTCAP 0.0022 2.04 0.046** REPEAT 0.0062 1.20 0.234

SUBSIDIARY 0.0102 2.11 0.039** ACTIVE -0.0062 -0.96 0.340 STOLEN -0.0070 -1.20 0.234

LOST -0.0083 -1.37 0.174 HIGH_EXPECT_X_ACTIVE 0.0055 0.75 0.455

LNPEOPLE_LNMKTCAP 0.0012 0.66 0.511 MKT_TO_BOOK -0.0011 -4.09 -0.000***

MONTH -0.0005 -2.27 -0.027** Sample Size 77 F-Statistic 0.0000

R2 0.3311 The symbols *, **, and *** indicate statistical significance at the .1, .05, and .01 levels, respectively. Upon examination of the cumulative abnormal returns and their relation to characteristics of the firm involved in a customer and/or employee data breach, we find that the coefficient on the variable REFUSED_RESPONSE is negative and significant at the .01 level. This result implies a negative impact related to providing no response to direct inquiries about the data breach. We also find that data breaches at firms with higher growth opportunities (as proxied by market-to-book) are associated with a greater negative stock market response. We further find that the coefficient on the size variable LNMKTCAP is positive and significant at the .05 level. It appears that larger firms may be somewhat more insulated from the negative effects of a data breach. This result also indicates that the stock market reaction to a breach at a smaller firm may be more severe than the reaction to a breach at a larger firm. This finding is compatible with results found in Cavusoglu et al. (2004), although their sample consisted of a greater diversity of events. Similarly, we find that the coefficient on the variable SUBSIDIARY is positive and significant at the .05 level. It appears that the parent firms may be somewhat insulated from the negative effects of a data breach at a subsidiary firm. As for the context-specific variable measuring the intensity of the stock market’s response to breaches over time, we find a negative relationship between MONTH and the stock market response, indicating that events occurring in more recent months of the sample are accompanied by a stronger negative stock market reaction. Additional examination of the stock market’s reaction to data breaches over time can be found in Appendix A, where we provide additional evidence to support the notion that data

17

breaches in the more recent periods of the sample are associated with a greater magnitude of negative returns. This relationship could potentially be explained by noting that by this time, most states had enacted legislation pertaining to data breaches. As states began to accelerate data breach notification requirements, investors’ perceptions of the costs of a data breach may have increased and might be at their highest in the most recent months of our sample, accounting for the stronger negative market reaction. We can see that none of the coefficients of variables involving the nature of the breach or the number of records exposed (ACTIVE, STOLEN, LOST, and LNPEOPLE_LNMKTCAP) are statistically different from zero. Consistent with the results of Cavusoglu et. al (2004), in our sample it does not appear that characteristics of the breach can explain the magnitude or direction of the stock market’s response to news of a data breach. Further testing of this result is provided in Appendix B. CONCLUSIONS AND FUTURE RESEARCH Using event study methodology, we find evidence that the stock market responds negatively to announcements of breaches of customer and/or employee data at publicly traded firms. We find evidence that the negative reaction is stronger for firms with higher growth opportunities (as proxied by the market-to-book ratio). We further find evidence to support the notion that the stock market reacts more strongly if a firm refuses to provide details about the breach. We find that firm size and subsidiary status seem to mitigate the stock market’s negative reaction to a data breach. Finally, we find evidence to suggest that the stock market’s negative reaction to news of a data breach is strongest in the most recent time periods of the sample, perhaps due to an increase in perceived costs related to new legislation. As data breaches continue and state and federal lawmakers pass further legislation, the analysis of data breaches and their effect on shareholder wealth will need to be extended. Future research involving an even larger sample devoted solely to customer and/or employee data breaches involving the potential for liability exposure for the breached firm would be useful in drawing broader conclusions. Additionally, future research controlling for the effects of state legislation would also be quite helpful in clarifying the effect of legislation on investor response to news of a data breach. In addition to policymakers and regulators, our findings are of interest both to investors and to firms. All groups should be aware that investors view breaches of customer and/or employee data negatively, particularly for those firms with higher growth opportunities. Firms should note that refusing to provide details about the breach is likely to be associated with a greater decrease in shareholder value. Smaller firms appear to have a greater cause for concern, since our evidence suggests that larger firms are somewhat insulated from the market’s negative reaction to news of a data breach. Our research also suggests that the negative market reaction to a data breach has been increasing in more recent time periods. Overall, our results should encourage firms to protect shareholder

18

wealth by improving their data security practices, and should reassure firms that have placed a high priority on customer and/or employee data security.

19

APPENDIX A A Further Investigation of the Stock Market Reaction to Data Breaches Over Time Rather than using MONTH as an independent variable, the three-year sample can be broken down into twelve quarters. Dummy variables can then be assigned, so that each event occurs in a particular quarter of the sample. We can then estimate a cross-sectional regression identical to Equation 4 in all other respects as follows: CARj=α +β1(HIGH_EXPECT)+β2(REFUSED_RESPONSE)+β3(LNMKTCAP) +β4(REPEAT)+β5(SUBSIDIARY)+β6(ACTIVE)+β7(STOLEN)+β8(LOST)+β9(HIGH_EXPECT_X_ACTIVE) +β10(LNPEOPLE_LNMKTCAP) +β11((MKT_TO_BOOK)

+ β i (QTR)i-11+∑=

23

12i

ε (5)

Table 7 Alternative Cross-Sectional Analysis of Cumulative Abnormal Returns

Variable Estimate T-Statistic Probability ValueINTERCEPT -0.0237 -1.22 0.227

HIGH_EXPECT -0.0032 -0.54 0.589 REFUSED_RESPONSE -0.0270 -4.86 0.000***

LNMKTCAP 0.0019 1.79 0.078*REPEAT 0.0098 1.84 0.070*

SUBSIDIARY 0.0121 2.38 0.021**ACTIVE -0.0027 -0.38 0.706 STOLEN -0.0034 -0.60 0.549

LOST -0.0039 -0.61 0.542 HIGH_EXPECT_X_ACTIVE 0.0053 0.78 0.442

LNPEOPLE_LNMKTCAP 0.0034 1.39 0.170 MKT_TO_BOOK -0.0043 -0.32 0.748

QTR2 -0.0302 -0.52 0.607 QTR3 -0.0209 -1.68 0.099*QTR5 -0.0042 -0.50 0.619 QTR6 -0.0180 -1.92 0.061*QTR7 -0.0154 -1.63 0.109 QTR8 -0.0064 -0.73 0.470 QTR9 -0.0060 -0.65 0.517

QTR10 -0.0042 -0.53 0.598 QTR11 -0.0167 -2.04 0.046**QTR12 -0.0250 -2.23 0.030**

Sample Size N = 77 F-Stat 0.0000

R2 0.4580 *There are no events in the sample occurring in quarter 4; thus, that quarter has been omitted. The symbols *, **, and *** indicate statistical significance at the .1, .05, and .01 levels, respectively.

20

When quarters are used as the time variable, we note a slight negative coefficient in

sult f

xamination of “Quarter Portfolios” of Data Breach Events22

s an additional robustness test, we construct portfolios of events occurring in each

able 8 ve Abnormal Returns (CARs) by Quarter Portfolios

Patell Z

associated with events in quarters 3 and 6. Stronger negative associations are seenquarters 11 and 12, indicating that the most recent periods of the sample are more strongly associated with negative cumulative abnormal returns. We believe this recan possibly be attributed to most states passing mandatory disclosure laws by the end o2006. E Aquarter. We then examine the cumulative abnormal returns for the group of events occurring in each quarter. Results follow in Table 8 below. TCumulati

Quarter N Mean CAR Positive:Negative 5 4 0.08% 2:2 0.056 6 7 -1.05% 4:3 -1.444* 7 4 -0.81% 1:3 -1.548* 8 6 -0.29% 3:3 -0.186 9 8 -0.04% 5:3 -0.171 10 13 -0.02% 5:8 -0.031 11 18 -1.31% 4:14 -3.373*** 12 14 -1.87% 2:12 -3.600***

N refers to the number of dat ach events occ ach quarter. Only a single data

N is

-score

rom the table, we see evidence of a slight negative stock market response to data

idence

of

PPENDIX B

a bre urring in e breach event occurred in each of the first, second, and third quarters of our sample, so portfolios of events in those quarters are omitted because they would consist of a sole observation. Consequently, the sum total of 74 rather than 77. The Mean CAR is the average of the cumulative abnormal returns over the event window (0,1). The column labeled Positive:Negative indicates the number of events with positive cumulative abnormal returns and the number of events with negative abnormal returns. The Patell Zis the test statistic for the null hypothesis that the cumulative reported returns over the event window (0,1) are equal to zero. The .10, .05, and .01 significance levels are indicated by *, **, and *** respectively. Fbreaches in quarters 6 and 7. We note that these quarters immediately follow the ChoicePoint data breach, which received much media attention. We see strong evof a negative market reaction to data breaches that occurred in quarters 11 and 12, the two most recent of our sample. Again, this could possibly be explained by the passagemandatory disclosure laws taking effect in most states by this time. In sum, it appears that the finding of stronger negative market reactions in the most recent time period of the sample is robust. A

22 We thank an anonymous reviewer for suggesting this method as an additional robustness test of the relationship between cumulative abnormal returns and time.

21

We investigated several specifications of the model involving various interaction terms in

We ms

greater

ARj=

an attempt to garner additional explanatory power. We included the interaction term REPEAT_HIGH_EXPECT to see if the market responded more harshly to firms expected to maintain higher data security standards experiencing repeat breaches. included the interaction term REPEAT_STOLEN and REPEAT_ACTIVE to proxy firthat might be more careless or more valuable targets, respectively. Finally, we also included the interaction term HIGH_EXPECT_LOST to see if firms with high expectations experiencing a loss resulting from carelessness would experience anegative market reaction. The model and results for this specification are shown below. We note that the additional interaction terms do not materially change the results reported, and add only .03 to the R2.

α +C β1(HIGH_EXPECT)+β2(REFUSED_RESPONSE)+β3(LNMKTCAP)

CAP) +β10(MKT_TO_BOOK) + β11 +β4(SUBSIDIARY)+ β5 (ACTIVE)+ β6(STOLEN)+ β7(LOST) +β8(HIGH_EXPECT_X_ACTIVE) + β9(LNPEOPLE_LNMKT(MONTH) + β12(REPEAT_HIGH_EXPECT) +β13(REPEAT_ACTIVE) +

β14(REPEAT_STOLEN)+β15(HIGH_EXPECT_LOST) +ε j

(6)

able 9 ctional Analysis of Cumulative Abnormal Returns

Probability Value

TCross-Se

Variable Estimate T-Statistic IN TERCEPT -0.0193 -1.02 0.309

H IGH_EXPECT -0.0055 -0.82 0.414 REFUSED_RESPONSE -0.000*** -0.0304 -4.09

LNMKTCAP 0.0021 1.93 0.058* SUBSIDIARY 0.0103 2.27 0.027**

ACTIVE -0.0080 -1.25 0.217 STOLEN -0.0081 -1.22 0.229

LOST -0.0131 -1.25 0.215 HIGH_EXPECT_X_ACTIVE 0.0076 0.93 0.355

LNPEOPLE_LNMKTCAP 0.0016 1.04 0.302 MKT_TO_BOOK -0.0001 -4.93 -0.000***

MONTH -0.0005 -2.19 -0.032** REPEAT_HIGH_EXPECT 0.0084 1.12 0.268

REPEAT_ACTIVE 0.0009 0.13 0.899 REPEAT_STOLEN 0.0068 0.85 0.396

HIGH_EXPECT_LOST 0.0084 0.70 0.489 Sample Size 77 F-Statistic 0. 0 000

R2 0.3600 The symbols *, nd *** indicate statistica nce at the .1, .05, nd .01 levels, respectiv ly. **, a l significa a e

22

APPENDIX C We further investigate some subdivision of breaches fitting the description of HIGH_EXPECT.23 Originally, we had assigned a value of 1 to this category for a breach occurring at a firm subject to the GLBA or HIPAA provisions, or if a higher level of data security would be expected (such as at a data broker). There were four sub-classifications of firms meeting this criterion: financial institutions, medical providers, insurers, and data processors. In the model specification and results shown below, we examine these categories of firms separately, assigning a value of one if the firm meets this sub-classification and zero otherwise. We can see from the table that examining the sub-categories comprising the HIGH_EXPECT group yields no material changes. In addition, the R2 does not change appreciably. Consequently, we find more evidence from our sample that the type of firm is not related to the negative abnormal returns. CARj=α +β1(REFUSED_RESPONSE)+β2(LNMKTCAP) +β3(SUBSIDIARY)+ β4(ACTIVE)+ β5(STOLEN)+ β6(LOST) +β7(HIGH_EXPECT_X_ACTIVE) + β8(REPEAT) +β9(LNPEOPLE_LNMKTCAP) + β10 (MKT_TO_BOOK) + β11(MONTH) +β12(FINANCIAL) +β13(MEDICAL) +β14(INSURANCE) +β15(DATAPROC) +ε j (6) Table 10 Cross-Sectional Analysis of Cumulative Abnormal Returns

Variable Estimate T-Statistic Probability Value INTERCEPT -0.0204 -1.26 0.211

REFUSED_RESPONSE -0.0307 -4.24 0.000*** LNMKTCAP 0.0024 2.11 0.039**

SUBSIDIARY 0.0110 2.21 0.031** ACTIVE -0.0061 -0.94 0.353 STOLEN -0.0064 -1.09 0.279

LOST -0.0801 -1.29 0.202 HIGH_EXPECT_X_ACTIVE 0.0035 0.47 0.643

REPEAT 0.0045 0.76 0.453 LNPEOPLE_LNMKTCAP 0.0016 0.85 0.399

MKT_TO_BOOK -0.0001 -5.11 0.000*** MONTH -0.0005 -2.33 0.023**

FINANCIAL -0.0049 -0.86 0.393 MEDICAL 0.0074 1.25 0.216

INSURANCE -0.0025 -0.38 0.706 DATA_PROC 0.0062 0.93 0.354 Sample Size 77 F-Statistic 0.0000

R2 0.3665 The symbols *, **, and *** indicate statistical significance at the .1, .05, and .01 levels, respectively.

23 We thank an anonymous reviewer for suggesting further investigation of these sub-categories.

23

REFERENCES Born, Patricia, Carmelo Giacotto, and Titos Ritsatos, 2004, The Wealth and Information Effects of Insurers’ Open Market Stock Repurchase Announcements, Risk Management and Insurance Review, 7(1): 25-40. Brown, Stephen and Jerold Warner, 1985, Using Daily Stock Returns: The Case of Event Studies, Journal of Financial Economics, 14:3-31. Campbell, Katherine, Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou, 2003, The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence From the Stock Market, Journal of Computer Security, 11: 431-448. Cavusoglu, Huseyin, Birendra Mishra, and Srinivasan Raghunathan, 2004, The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers, International Journal of Electronic Commerce, 9(1): 69-104. ChoicePoint, 2006. Website www.choicepoint.com accessed June 30, 2006. Fama, Eugene, 1969, The Adjustment of Stock Prices to New Information, International Economic Review, 10:1-21. Fama, Eugene and Kenneth French, 1992, The Cross-Section of Expected Stock Returns, Journal of Finance, 47(2): 427-465. Federal Trade Commission, 2007. Website http://www.ftc.gov/os/caselist/0423160/050616agree0423160.pdf accessed September 17, 2007. Garg, Ashish, Jeffrey Curtis, and Hilary Harper, 2003, Quantifying the Financial Impact of IT Security Breaches, Information Management and Computer Security, 11(2/3): 74-83. Hovav, Anat and John D’Arcy, 2003, The Impact of Denial-Of-Service Attack Announcements on the Market Value of Firms, Risk Management and Insurance Review, 6(2): 97-121. Kerber, Ross, 2007, Latest TJX Offer Includes Checks or Vouchers, The Boston Globe, October 11, 2007: p. D1. Ko, Myung and Carlos Dorantes, 2006, The Impact of information Security Breaches on Financial Performance of the Breached Firms: An Empirical Investigation, Journal of Information Technology Management, 17(2): 13-22.

24

Krause, Jason, 2006. Stolen Lives: Victims of Identity Theft Start Looking for Damages From Companies That Held Their Personal Financial Information, ABA Journal, 92:36. National Conference of State Legislatures, 2008. Website http://www.ncsl.org accessed July 7, 2008. Privacy Rights Clearinghouse, 2007. Website www.privacyrights.org accessed July 26, 2007. Schwartz, Paul M. and Edward J. Janger, 2007. Notification of Data Security Breaches, Michigan Law Review, 105:5, 913-984. Weber, Harry R., 2005. “ChoicePoint Stock Falls After Breach,” Associated Press Online, Feb. 22, 2005.