Most conversations surrounding the cost of a data breach are around fines or compensation.
Financial costs are definitely important as we see an onslaught of regulatory legislation around the world. Many countries have followed in the footsteps of the EU’s implementation of GDPR, like California’s CCPA and Brazil’s LGPD.
Since 2021 is likely to see increased safeguards on consumer privacy and, in the past year, employees have had access to more data at work, the number and value of data breach fines are also expected to increase.
However, an important aspect of data breach cost that is often overlooked is reputational damage.
A good reputation is usually hard to build, but once you’ve gained it, it can sustain a business through tougher times like what we’re currently going through. Back in 1997, Apple was on the verge of bankruptcy and playing second fiddle to Microsoft, but in 2018 it became the first publicly traded American company worth more than a trillion dollars.
Today’s consumers often put a lot of stock in reputation and are loyal to brands that they’ve had good experiences with, so it can be nearly impossible to bounce back from any damage to your rep.
The reputational repercussions of a data breach can last much longer than the short-term fine, causing damage to your bottom line in the long run when customers don’t trust you enough to do business with you, and potentially dealing your organisation a blow from which it will never recover.
In the media glare
In the immediate wake of a data breach, there’s a lot to take in. What was lost? Was it an attack or an accident? Has the breach been closed?
If you’re a household name, such as TalkTalk, Equifax or Yahoo – or involved in something salacious like Ashley Madison – you will likely find yourself in the unenviable position of doing these initial investigations in the full glare of the media spotlight.
For such businesses, especially nowadays, the reputational impact will be immediate. Depending on the size of the data breach and how it happened, big businesses are likely to find themselves on the front pages of the papers and in the broadcast headlines too. In this kind of situation, the axiom that “all publicity is good publicity” falls very flat.
Even if your own organisation’s data breach doesn’t warrant a spot on the evening news, that doesn’t mean you will have escaped public condemnation: Disgruntled customers – or now former customers – will be disavowing you on social media for having shown little care for their personal information, potentially for years to come.
It’s not just the act of losing control over customers’ personal data that can harm a business’ reputation, either. Speaking as a guest on the IT Pro Podcast, Dr Rois Ni Thuama, head of cyber governance at Red Sift, pointed to the fallout of the 2014 Sony Pictures hack as one example.
“You had large dumps of Sony data … you’ll remember there was a lot of stuff on actor compensation, there [were] embarrassing email exchanges. One of the key players (co-chairperson, Amy Pascal) sent something that was racially insensitive,” said Ni Thuama.
“People lost their jobs… their careers and their professional lives were damaged, particularly the woman (Pascal) who sent the charged emails, and then there was definitely a loss of reputation over the actors’ compensation,” she added.
The importance of accountability
Away from the data breach itself, how the organisation acts once the incident can have a major impact on the depth and permanence of the damage an organisation faces.
Gabriel Friedlander, the founder of security awareness training firm Wizer, tells IT Pro: “Yahoo, Uber and Anthem are three data breaches that stand out in the US because of the lack of accountability, lack of transparency, and length of time between a breach happening and the truth coming out.”
“Companies also invest a lot in ‘values’, so when companies lie or try to hide a breach, it ruins the trust and goodwill that has been built up over years with many of their customers, some of whom will quickly look to the competition for a more safe and secure alternative,” he adds.
Simon Smith, a specialist in cybercrime and computer forensics, feels similarly.
“Trust is the driver for any business success. If trust is lost then some businesses may never recover,” Smith tells IT Pro.
“It can depend a lot on the nature of the breach and how the company reaches and remedies the breach. Dishonesty or non-disclosure can cause a great loss of trust that could easily destroy any business after only one incident. Customers, the authorities and society will be concerned about a company's security and ability to protect data if systems are not in place to handle and mitigate the problem.”
Small business, big problems
Sadly, when it comes to reputational damage, SMBs often fare worse than larger ones.
“We see a 60% failure rate among the SMB market after a company discloses a breach within 6-12 months,” says Friedlander. “This partly due to confidence issues, partly due to recovery challenges, etc.
“The SMB market is crowded. Think about a restaurant, if it gets breached people have many options for going to eat somewhere else, and if your accountant got breached, you will probably leave and find someone else.”
Bigger businesses, on the other hand, may be harder to move away from. It’s also likely they have greater resources to put towards crisis management, as well as to pay any regulatory fines and settle lawsuits.
Smith adds that SMBs can suffer worse damage to their reputation as they may not realise their responsibilities or act appropriately.
“Small businesses make up the majority of all business, but as many are not publicly listed, they feel they do not have to disclose every event. This in itself causes a major problem as it is now considered a regulatory issue across the world where businesses of all sizes can be fined for breaching the obligation to secure personal records,” he says.
“Any size business is equally at risk because somewhere along the way, they got the attitude that ‘it can’t happen to us’, or, ‘it can’t happen to us again’. Without proper process, project, policy and infrastructure governance in place to protect their systems, it is always going to be a ticking time bomb,” he adds.
If you survive the initial damage, the lasting impact may not be quite as catastrophic as one would imagine, though – as they say, time heals all wounds.
“Long term, there is an argument that there’s little consequence as humans have short memories,” says Friedlander. “There’s a plethora of breaches and companies get lost in the mix.”
Nevertheless, while there are methods to mitigate reputational damage in the wake of a data breach – including the passage of time – it pays to put as much effort into preventing one happening in the first place. Not only do you reduce the risk of harm, but if a breach does happen the reaction will likely be more sympathetic if it can be shown it happened despite you having ample defences and procedures in place.
