Skip to main content

The WiKID Blog

Viewing posts from January, 2009


We've switched ISPs for some of our servers. If you have issues with the extranet and the various pages we have set up for testing the software tokens, that is why. We are still working out some of the kinks.


I was googling around when I came across an interesting paper Information as regulation : the effect of Community Right to Know laws on toxic emissions. I think that this paper has interesting similarities to the current state of affairs for breach notification laws. Consider the background:

In 1986, the American Congress voted the Emergency Planning and Community Right to Know Act. This law requires manufacturing companies in the United States with 10 or more employees to publicly disclose the quantity and type of toxic chemicals released into the environment. In July 1988, the Environmental Protection Agency published the first reports for toxic emissions in the calendar year 1987. Data from these reports have constituted the Toxic Release Inventory (TRI). And finally, in June 1989, the TRI was disclosed to the public for the first time. As a result, publicly traded firms whose TRI releases were first reported had to cope with negative abnormal market returns, i.e. a significant drop of their stock price. The paper examines how firms responded to this negative stock price information.
I also liked the reasoning for examining stock price changes:
Actually, there are two main reasons explaining why TRI announcements reduce firm value. First, a high and unexpected TRI announcement can be considered by investors as a warning of poor management practices and increased risk of spills or accidents. Second, TRI emissions disclosures can create a form of pressure from sensitive stakeholders : “green” consumers who may decide to boycott products of high polluting companies, ecologist groups who can sue the firm and, last but not least, the government who might target these firms for wider inspections. All of these mean high pollution-related expenditures (e.g. for penalties or new abatement equipment and methods) that will reduce the firm future profits. Consequently, investors get rid of their shares and the stock price decreases. This stock price hit is a strong incentive for the company executives to improve environmental performance and strengthen firm value in following years.
And I thought the conclusions were
On the average, the 130 firms mentioned in the media had a -0.299 % negative abnormal return on the day of the TRI disclosure, while it was -0.019 % the day before. The 40 firms with the largest negative stock price effects following announcement of their TRI emissions were found :
  • to be among the top 1/3 of polluting firms (per dollar revenue) in their industries.
  • not to be the largest absolute TRI emitters, which is consistent with the hypothesis that the market reacted more to unexpected TRI disclosures than to those that were already expected to be very large.
  • to subsequently reduce their TRI emissions more than other firms in their industry (including those firms with the largest TRI/ $ revenue prior to the disclosure of TRI levels).
  • to also make other significant attempts at improving their environmental performance by reducing the number and severity of oil and chemical spills.
  • to have a lower chance of receiving higher fines from the government in subsequent years.
These results clearly show that new and unanticipated information concerning a firm’s toxic emissions that has a significant impact on market valuation is a strong incentive for that firm to reduce subsequent emissions and to otherwise improve its environmental performance. From this point of view, providing information to the public may therefore be an effective remedy to reduce environmental externalities beyond a regulatory standard.


It looks as though there was one admin, Wilson, who was cooperating with the feds and had the portable drives. Decrypting the mail resulted in the arrest of two other sys admins. Wilson thought he had deleted all the passwords to thwart the FBI. The investigation is part of a political corruption probe. See the full story in the Philly Inquirer


It has occurred to me that you could develop an interesting incentive program for an information security team, assuming that you believe a couple of data points (or can come up with your own) and your primary concern is a data breach. In my opinion, security people are all too often incented only to maintain security - not to optimize the investment in security. Interests need to be aligned.


Of course there is not enough detail in the article to actually estimate the chances and that the odds of winning a specific game are specific to that game, but honestly, the odds are really against you winning $18,000 in the lottery, much less $518,000

Recent Posts







RSS / Atom