4
A STRONG PRIVACY POLICY CAN SAVE YOUR COMPANY MILLIONS
by Kelly D. Martin, Abhishek Borah, and Robert W. Palmatier
Cyberattacks are on the rise, with over 1,000 data breaches occurring at U.S. organizations in 2016 alone, most often through hacking or external theft. And it isn’t only violated firms that are hurt by these incidents. Studying hundreds of data breaches, our research has found that data breaches sometimes harm a firm’s close rivals (because of spillover effects) but sometimes help them (because of competitive effects). We also found that a good corporate privacy policy can shield firms from the financial harm posed by a data breach—by offering customers transparency and control over their personal information—while a flawed policy can exacerbate the problems caused by a breach. This is the first evidence to show that a firm’s close rivals are directly, financially affected by its data breach, and our research offers actionable solutions that could save some companies hundreds of millions of dollars.
Our research shows that sometimes a breach creates spillover, in which investors perceive a guilt-by-association effect that harms the breached firm’s close rivals. For an example of competitor harm due to these spillover effects, consider the Nvidia data breach, which affected 400,000 user accounts. Its rival Advanced Micro Devices (AMD) lost about $48 million on the event day (1.4% drop in stock price) from the spillover effects of Nvidia’s breach, controlling for overall market effects. That is, when removing from our analyses all other events that could have influenced AMD’s stock drop, such as dividend declarations, contract signings, earnings information, or mergers and acquisitions, we find clear and significant harm to AMD from Nvidia’s data breach.
In fact, the spillover effects across our sample led to a drop in stock price that averaged more than $8 million in losses for rival firms where no such data breach occurred. Our results show the financial hit to these rivals’ stock prices can be detected for several days after the data breach before eventually stabilizing.
Yet a breach can sometimes help a close rival, creating beneficial competitive effects. Consider the massive Anthem data breach, which affected as many as 80 million customers. The high severity of this breach led rival Aetna to gain about $745 million (2.2% increase in stock prices) on the event day, due to competitive effects, again controlling for overall market effects. A data breach of this type and scale makes investors worry about customers defecting en masse to competitors, thus providing a boost to a close competitor’s stock price.
Our research shows that the severity of, or number of customers affected by, a breach is a key to understanding whether close rivals will be harmed or helped by their competitor’s bad fortune. As the number of customers harmed by the breach increases, stock market effects for the firm’s rivals go from negative to positive, as competitive effects become more dominant. This suggests that smaller breaches signal that others in the industry may also be vulnerable to hacking. However, large data breaches create the impression that the breached firm is in a unique amount of trouble. Our research shows that in large data breaches, customers’ desire to leave the breached firm increased. Expected switching behavior ultimately benefits the breached firm’s competitors, as captured in their stock returns.
The good news is that firms are not powerless against these data breach effects. There are actionable strategies they can use to protect or inoculate themselves from their own or a rival’s breach. Using studies querying hundreds of customers whom we recruited on Amazon Mechanical Turk, coupled with stock data analysis of hundreds of companies over 10 years, our research finds that firms can protect themselves from data breach harm by implementing two important privacy-focused practices that benefit customers.
First, they can clearly explain to customers how they are using and sharing their data. Transparent privacy practices tell customers what specific information companies capture (such as IP address and search history) and how they use it (for example, using in promotions or selling to third parties). Second, firms can give customers ample control over the use and sharing of their data. Control is endowed through giving customers opportunities to opt out of the firm’s data practices (promotions, sharing with partners, selling). Together, these measures were perceived to effectively empower customers, giving them greater knowledge and the ability to have a say in business practices. (See the sidebar “Why Study Privacy Policies?”)
Why Study Privacy Policies?
Although companies can provide transparency and control through various customer communications, the formalized and codified way they do this is privacy policies. These policies are important customer communication tools because the firm has legally agreed to abide by them. Regardless of what a company might message about data privacy in other ways, what is put into practice is formally documented in the privacy policy. When customers are in doubt about their personal information, company messaging commonly refers them to the privacy policy. A review of data privacy research in marketing found that customers do, in fact, have a good idea of a firm’s data practices as captured in a firm’s privacy policy—even if they don’t read the privacy policy. Because privacy policies simply document all company privacy practices, customers who are familiar with a given company and its approach to privacy have a highly accurate sense of what is in the policy. Again, our research with hundreds of customers confirmed this.
When a firm had transparent privacy practices, customers in our studies felt they had the knowledge to make an informed decision about sharing their personal data. When a firm’s privacy practices offered control, customers knew they had the ability to change their preferences about what information they shared and how. In our studies, customers did not punish breached firms that provided both transparency and control. Empowered customers are more willing to share information and are more forgiving of data privacy breaches, remaining loyal after the fact, as we learned. Customers of firms that offer high transparency and control reported feeling less violated by big data practices, attested to being more trusting, provided more-accurate data to the firm, and were more likely to generate positive word of mouth.
Firms with relatively high transparency and control also were buffered from stock price damage during data breaches, either their own or rivals’. Yet only about 10% of Fortune 500 firms fit this profile.
To study how a firm implements practices that provide transparency and control, we looked at the documented ways in which companies explain their approach to customer data privacy. Our research team combed through the privacy policies of all Fortune 100 firms to study their transparency and control and from that understand how protected the firms were from the negative effects of data breaches.
Our findings show that some firms provide high levels of data transparency and control and would be protected from data breaches. (See our ranking in figure 4-1.) Top-ranked firms such as Costco, Verizon, and HP would be shielded from spillover effects if a close competitor experienced a data breach. These firms clearly state what information they capture and how they capture it while offering their customers substantial control over that information’s sharing and use.
FIGURE 4-1
How good are the Fortune 100’s privacy policies?
A ranking of how transparent each company’s policy is, and how much control it gives customers.
*The privacy policies of these companies offer additional opt outs that did not factor into our ranking.
(Continued)
FIGURE 4-1 (continued)
On the other end of the ranking are firms such as Citigroup, Morgan Stanley, and HCA Holdings. In 2011 Citigroup experienced a data breach of 146,000 customer records and suffered a $1.3 billion stock value loss. According to our analysis, if Citigroup had embraced practices of high transparency and high control, it would have suffered a loss of only about $16 million in stock value. That is, Citigroup might have saved about $820 million had it simply offered its customers high transparency and control. In response to this breach, Citigroup spent $250 million on cybersecurity systems and hired an additional 1,000 IT professionals. Yet our coding of its practices reveals that, as recently as 2016, Citi still was not providing high levels of transparency and control. Thus, while its enhanced IT safeguards may be sound, our research shows the company remains at risk should a competitor suffer a breach. (See the sidebar “Company Ranking Methodology.”)
Looking across the ranking, other firms appear to offer one of these aspects to customers. For example, some firms provide transparency but fail to give customers the ability to act on this information (low control). In our research, this approach was poorly received by customers.
Firms that neither tell customers how their data is used nor offer any control are at the greatest risk of financial harm. Our privacy analysis showed that an overwhelming 80% of Fortune 500 firms fall into this category. In our study, firms that failed to explain their data privacy practices had a drop in stock price 1.5 times larger than firms with high transparency, while firms that provided customers high control had no significant change in their stock price after a data breach.
Company Ranking Methodology
We created transparency and control variables with procedures that employed a mix of automation and manual coding of companies’ actual privacy policies.
We first captured all the relevant URLs pertaining to firms’ privacy policies that were in effect on January 1, 2016. We developed a Python code that visited all valid snapshots of each Fortune 500 firm’s privacy policy to extract that closest to our date of interest. To ensure the correct URLs were downloaded and parsed, a random 5% of the URLs were manually checked to find if there were errors in the code, and the errors were corrected. We then resampled the URLs and found no errors. After obtaining the privacy policies, we manually coded transparency and control variables by carefully reading each privacy policy and using a coding schema to create count scores for transparency and control. For the variables that required coding of events, we followed standard procedures for textual coding.
For the textual coding procedure, we employed two research assistants who were blind to the study hypothesis. Before coding the privacy policies, the two were separately trained in the coding scheme on a sample of privacy policies that were not part of the final sample. One of us checked to ensure the research assistants understood the coding scheme. After obtaining all the privacy policies, each research assistant independently coded them. Agreement between the two research assistants on the coding was greater than 85%. Disagreements in coding were resolved through discussion with us.
For the transparency variable, we used a count of the dummy variables across multiple elements of the privacy policy that signal openness and willingness to provide information to customers. Specifically, we coded whether the firm (1) explains its opt-out policy, (2) explains how it captures data, (3) explains how it uses data, (4) explains its use of tracking tools, (5) explains the value customers receive from providing their information, (6) explains its data sharing with third parties, (7) explains its data encryption practices, (8) provides contact information for privacy requests, and (9) discusses protections if data is compromised. If a firm’s privacy policy had all nine characteristics, the policy earned a transparency score of nine.
To create the control variable, we counted the number of opt-out choices in the firm’s privacy policy. Specifically, we coded whether the customer can opt out of (1) marketing communications, (2) saving data usage (for example, search history), (3) storing personal information (for example, credit card number), (4) sharing data with third parties, and (5) tracking. If a firm’s privacy policy had all five characteristics, the policy earned a control score of five. Note that we also counted opt outs that were not on this list but were featured as part of the firm’s privacy policy. Four firms included additional data collection or data-use opt outs beyond our five characteristics. These were firm-specific opt outs that enabled greater customer control but did not warrant separate opt-out categories for the entire sample of firms.
To create our ranking, we compiled the summed scores of transparency and control for all firms. Firms that had identical scores on both dimensions appear alphabetically in the ranking.
Ultimately, firms can use data privacy practices to protect themselves from the spillover effects of competitors’ privacy failures, but their efforts to do so need to be meaningful. They must clearly explain to customers the ways in which they will access, use, share, and protect customer information, and it must go hand in hand with giving customers control over these data uses. Failure to do so leaves a firm susceptible to risk from multiple harms.
Editor’s note: Every ranking or index is just one way to analyze and compare companies or places, based on a specific methodology and data set. At HBR, we believe that a well-designed index can provide useful insights, even though by definition it is a snapshot of a bigger picture. We always urge you to read the methodology carefully.
TAKEAWAYS
Data breaches can create significant ripples beyond the violated firm, affecting the valuation of other companies in the industry. But firms are not powerless against these effects.
- To protect themselves from the effects of their own or a rival’s breach, companies can implement two privacy-focused practices that also benefit customers.
- Clearly explain to customers how they are using and sharing their data.
- Give customers control over the use and sharing of their data (including opportunities to opt out).
- Research shows that when customers know they have the ability to change their data-sharing preferences they’re more willing to share information and are more forgiving of data privacy breaches.
Adapted from “Research: A Strong Privacy Policy Can Save Your Company Millions” on hbr.org, February 15, 2018 (product #H0465E).