Adam responded over on his blog to my claim that it was FUD that the market was shifting to, not the loss of confidentiality. So I'll try and argue my case more.
The market responds to news. It doesn't respond to not-news. Why not? The reason for that is that the not-news is already factored in. That is, Bank of America is known to have the potential for branch bank robbery, and the market puts a risk premium on it for that. Bank of America may be big enough to face a bank robbery a day, but the market knows that and doesn't respond to any individual event.
The news that a confidentiality breach has occurred then is either news or not-news. In the case of the measured companies, that dropped 5% in one study, 2% in another, it was clearly news.
Yet, confidentiality breaches are occurring all the time. Visa and Mastercard and all the banks are being raided on a routine basis. What happens when some bank announces it has arrested an insider for selling account information for $10 or $20 a pop? Nothing. That's not-news. It's not news because the market already understands that the banks and retail credit and identity systems have a huge insider problem. So it's factored in. No shift in market price, even if 100,000 accounts have been compromised.
Then, when some poor muggins who is doing something different - not the usual suspects listed above - and discovers their account database has been lifted, that is ... different! That's news - not because its bad. In fact, we can probably empirically show that it is way less bad than the above not-news because it is much rarer and the compromises are generally lighter. But no matter, the journos write about it, the righteous point fingers, and the market sells.
What the news is in this case is that the market has not understood and has not factored in the possibility of a loss of confidentiality in the new player. It might be an Internet bank, or it might be a telco, or it might be a government department. Either way, all this data sitting there and nobody knew about it nor understood that it could leak ... well, when *that* data gets lifted by a sneaky hacker, we are all surprised.
Try it some time. Look at a particular case and look deeply. I'd suggest you will come to the conclusion that there was a storm in a teacup. As in, "so what was all the fuss about?" Consider the recent Mobile-T thing. 400 users had their account information lifted. What was the scandal? What had really attracted the attention of the press was that the hack had occurred against a Secret Service agent! Very sexy! What's more, famous names had their photos downloaded. Better and better. And, shock horror, telcos are amassing huge databases of our personal lives!
If only 400 boring accounts from a telco had been lifted, what would you write about? I think that story showed a definate press bias on the "new and scary" and the market to some extent follows that. To be fair we'd need a bank insider story to compare this to - and there are quite a few. Problem is, they are so mundane that even I forget them.
Also, you can look at those X accounts and propose some metric as to how much that confidentiality is worth. Say the 400 account hack dropped Mobile-T's share price by 5%. (Hypothetically, I don't know if they got hit or not.) Now, they have many more accounts than that. I'd guess they have something in the millions.
What happens if they lose a million accounts? Does that mean their share price goes down by 100 * 5% * 1,000,000/400 = 12500% ? No of course not. Firstly, they can't go down below 100%. Secondly, even if they opened up every account they had, they still haven't got a loss of revenue stream.
Which is to say that whatever is being said by the stock market, it is *not* anything quantifiable: it is not measuring an _amount_ of confidentiality. I guess my point here is that it is the meta-loss, not the confidentiality itself that is the crime.Posted by iang at January 26, 2005 02:43 PM | TrackBack