Do data breaches cause lasting reputational damage for organizations? We all know breach response is expensive – just ask Target, which posted data breach-related costs of $162 million through fiscal year 2014, plus another $129 million for the first half of FY2015, all net of $90 million in cyber insurance. That’s a lot of zeros, and it’s not over yet. According to Ponemon’s 2015 Cost of Data Breach study, the average U.S. cost of a “malicious or criminal breach” is $230 per compromised record, $210 per record for a “system glitch” breach, and $198 per record for “human error” breaches. The U.S. breaches in the study averaged more than 28,000 compromised records and an average total cost of over $6.5 million.
But beyond response hard costs, the X factor for many companies is a fear of crippling reputational damage in the wake of a large-scale data breach. As it turns out, such fears may be unfounded, and may also be unhelpful.
In the September issue of ACC Docket, coauthor Bob Jett and I touch briefly upon the murky subject of post-breach reputational damage in our article “How and Why to be Ready for a Data Breach.” Cyber breaches intuitively should result in a loss of goodwill, but actual numbers on reputational damage, separating the hype from actual harm, are elusive. For example, we observed, stock prices of several publicly traded companies with mega-breaches did not reflect the reputational “hit” one might expect.
A new research study, “Strategic News Bundling and Privacy Breach Disclosures,” confirms this view. Public companies suffering breaches between 2005 and 2014 had only a small negative impact on share price, more than offset by the positive news commonly disclosed in tandem (kind of like “Honey, I backed the car into a tree. I’m really sorry. But guess what – let’s do that tropical vacation next month!”).
Why would this be? A report on consumer sentiment about data breaches sheds light on the contradictions at play. Three quarters of consumers whose information was compromised in a breach described the experience as “stressful,” and 45 percent were very or extremely concerned about suffering identity theft. Yet 81 percent had no out-of-pocket expenses from the breach, and those who did averaged just $38. Fifty-five percent reported doing nothing independently, post-breach, to protect themselves from ensuing identity theft. Seventy-one percent continued their relationship with the company, most commonly responding with some combination of “it is too difficult to find another company with comparable products and services,” “data breaches affect most companies and I think it’s unavoidable,” and “the company resolved the data breach to my satisfaction.”
What this means
- “Data breach fatigue” may be a new normal, with affected individuals resigned to simply accept breaches as an unfortunate fact of life. On the other hand, such a new normal brings with it higher expectations for companies’ breach response. In the consumer sentiment study discussed above, about half of the customers who did sever their business relationship post-breach reported that the company could have kept them as customers by providing some combination of a sincere, personal apology; free identity theft protection and credit monitoring; a responsive call center; and product or service discounts.
- Some industries are more prone to reputational damage than others. Ponemon’s 2015 Cost of Data Breach study measured the “opportunity cost” from abnormal turnover of existing customers and the decrease in new customer acquisition. Retailers had relatively low post-breach customer loss (2 percent) compared to organizations in other industries, such as financial (7.1 percent), healthcare (6 percent), technology (5.4 percent), and pharmaceutical (5.1 percent).
- Some pundits have opined that, as expensive as data breaches may be, they are not yet expensive enough to compel truly effective security, resulting in a systemic “moral hazard.” (Not expensive enough? Hmmm … see Target above).
- None of this ameliorates regulatory penalties and civil lawsuit exposure, which still loom large.
Existential threats paralyze, but manageable threats mobilize
The fear of seismic reputational damage can become a paralyzing obstacle to accomplishing the specifics of what must be done to be ready for breach response. Regardless of whether reputational damage is a significant, long-term threat, the realities remain that (1) hard costs for data breach response can be extraordinary, but (2) response cost exposure can be managed, and (3) preparedness is the key to managing the exposure. Data breaches are indeed a manageable threat… if the organization is actually prepared to manage them.
Preparedness requires more than simply an incident response plan for the IT security team. IT Security-driven “detect-contain-eradicate-restore” activities are obviously important, but that’s only one piece of the puzzle. To truly manage data breach exposure, organizations need to have a readiness plan in place for how to orchestrate up to ten interrelated activities that must be handled in sync for effective data breach response: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notifications, and Personnel Management.
Without effective readiness, a manageable breach response can quickly become unmanageable. Or as Joe Demarest, assistant director of the FBI’s Cyber Division, bluntly observed, “You’re going to be hacked. Have a plan.”