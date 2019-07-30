Here we go again. Another company is reporting another massive data breach, and once again, that company’s stock is collapsing as the details are revealed. This time, it is Capital One (COF). But the sliding stock price presents a buying opportunity for investors.

The company revealed yesterday that a software engineer, Paige Thompson, had been arrested in connection with the theft of data of over 100 million Capital One customers. If that number is accurate, that would make it the largest known breach of stored data at a financial company in America. The important word here, though, is “known.”

The hacker was discovered after bragging about it online using a traceable account, resulting in an anonymous tip to Capital One. That, obviously, isn’t usually the case, and the breaches we don’t know about are potentially far more damaging.

If you ask a candid cybersecurity professional, they will tell you that for every company that stores sensitive data, the question is not if they will be breached, but when, and how significant that breach will be when it comes. Still, every time one is disclosed, stock in the targeted company gets slammed. Tasking a corporation with doing the impossible then punishing them when they fail is ridiculous, and that is what we see in these cases. Even more ridiculous given that every company is either vulnerable or has already been attacked, the market is punishing only the ones that own up to the issue and are honest about it.

I understand those that feel uneasy making excuses for corporations in these cases. The ultimate victims are usually ordinary people, and the failure to protect data must be punished, or some companies might think, why go to the bother and expense of even trying? However, there seems to be a tacit acceptance in the legal system and elsewhere that punishing these companies for falling victim to the inevitable, then doing the right thing and making the attacks public, can only go so far.

Take Equifax (EFX), for example. That incident from a couple of years ago has been back in the news recently, as the company agreed to a $650 million settlement a week ago. Now, $650 million is a lot of money to most of us, but to a company with an enterprise value of over $20 billion it is not exactly life-threatening. Nor have any of these breaches led to a sustained public backlash. Is there a significant number of people who still avoid Target (TGT) because they were breached a few years ago, or who have somehow managed to remove themselves from Equifax’s database?

In all of these cases though, the market reaction is disproportionate to the size of the problem. EFX lost well over forty percent in the two weeks following a breach that ended up costing them around three percent of the firm’s value. Target, which currently has an EV of $58 billion, was fined $18.5 million, an even smaller percentage, yet that stock also got hit hard as the story came out.

From what we know so far, it appears that Thompson didn’t sell or transfer any of the data, so Capital One’s liability, at least in a financial sense, is even more limited than for either EFX or TGT. But, Capital One has lost around eight percent as the news has been digested.

The implications for COF are obvious.

It is, or rather will soon be, a buy. The qualification is because these stories have a way of dragging on sometimes. Corporations have learned to do all they can to avoid the kind of three-year drip of news that followed the Target attack and made it look as if they were attempting a coverup, but, given the history, the stock could continue to fall for a day or two. That same history, however, indicates that while this is undoubtedly embarrassing for Capital One, it is unlikely to have any massive financial impact. If it goes the same way as others, liability will be limited, and the public will quickly forgive and forget.

When a crime is committed that potentially has a hundred million victims, looking for someone to blame and punish is inevitable, but the perpetrator here is Thompson, not Capital One. The market, however, seems, as usual, to be overreacting to a headline and meting out punishment in the only way it can. Providing there is not a lot more to this than we already know, COF is a buy on the resulting dip.