Abstract According to many business publications, firms that experience information security breaches suffer substantial reputational penalties. This paper examines incidents in which confidential information, for a firm’s customers or employees, is stolen from or lost by publicly traded companies. Firms that experience such breaches suffer statistically significant losses in the market value of their equity. On the whole, the data indicate that these losses are of similar magnitudes to the direct costs. Thus, direct costs, and not reputational penalties, are the primary deterrents to information security breaches. Contrary to many published assertions, on average, firms that lose customer information do not suffer reputational penalties. However, when firms lose employee information, we find significant reputational penalties. Keywords: Confidential, Information Security, Data Security, Breaches, Reputational Penalties The Market Value and Reputational Effects from Lost Conidential Information Joseph K. Tanimura*, Eric W. Wehrly** Introducion A breach in information or data security occurs when conidential personal data is stolen from or lost by a irm. In one of the irst widely-publicized incidents, on February 15, 2005, Choice Point announced that 145,000 personal records had been accessed by suspected criminals passing themselves off as legitimate customers. More recently, Western Union announced that hackers had stolen the names, addresses, phone numbers, and credit card numbers of more than 20,000 customers. In this paper, we estimate the costs of security lapses, and examine whether public irms incur any reputational penalties when they suffer data breaches. A irm will incur a reputational penalty if the total costs of the breach—as measured by the market value loss in the * Unafiliated, Los Angeles, United States. E-mail: jtanimura@hotmail.com ** Visiting Assistant Professor, Seattle University, United States. E-mail: wehrlye@seattleu.edu company’s shares—exceed the direct costs of the breach. The direct costs include unbudgeted, out-of-pocket spending for things such as notiication letters and emails, legal and accounting fees, public and investor relations, and call center expenses. Direct costs also include the opportunity costs of spending company resources such as employee time in order to deal with the consequences of the data breach, and ines levied by government agencies. A reputational penalty exists when, for example, news of Western Union’s lost information causes the irm’s market value to decrease by an amount greater than the expected direct costs associated with the breach. The existence and magnitude of a reputational penalty is important for public policy. For example, ChoicePoint was ined $10 million by the Federal Trade Commission in 2006. Whether this penalty is suficient to deter future data breaches depends in large part on the reputational penalty that irms incur when they suffer breaches. If reputational penalties are large, then advocates for higher regulatory sanctions and lower legal hurdles for plaintiffs are misguided. If, however, reputational penalties are negligible, these advocates have greater standing. The existence of reputational penalties also informs irms’ investment policies. If reputational penalties are large, then investment in information security will yield greater returns. On the other hand, if—contrary to most media reports—reputational penalties are small or non- existent, irms have reduced incentive to invest resources in safeguarding information. According to most business publications, irms suffer substantial reputational penalties as a result of information security breaches. For example, the chief technology oficer of a company that suffered a breach states, “When something like this happens, we don’t want to put a price