Tim Critchley, the CEO of the call center phone security company, Semafone, recently opined in a piece on CSO Online that “the reputational damage suffered by companies who fail to protect personal data can translate directly into a loss of business.” Critchley’s comments came in the wake of Target Company’s 2013 sales losses of over $500 million, reflecting a 46 percent drop in year-to-year sales, following a massive data breach that publicly exposed customer information that the company had held on its data servers. In Target’s case, as in the cases of several other large companies that suffered data breaches, the company’s stock price rebounded in the year following the breach and long-term damage was limited. The near-term damage from a data breach, however, reveals that in formulating a cybersecurity policy, a company needs to consider how a data breach can hurt customer confidence.
The Cost of a Data Breach
The prevalence of data breaches is not limited to the few big cases, like Target, that are reported in the mainstream press. Close to half of all consumers report that their personal information was stolen in a data breach. A majority of those victims report their experiences to friends and through social media, which directly affects the reputation of the company that is the source of the breach. Large and small companies alike report almost daily threats to the customer data that they hold.
At least one recent survey suggests that retailers that suffer a data breach lose more than 10 percent of their regular customer base. Of the remaining regular customers, almost 80 percent will use cash, and the size of their purchases will be lower. In the current highly competitive retail market, a 10 percent drop in sales can be the difference between survival and going out of business.
What to Do If You’ve Been Hit
Regardless of the strength of a company’s cybersecurity defenses, some data breaches will succeed. When that happens, the burden shifts from preventing the breach to rectifying problems associated with the breach. The same survey suggested that a company’s strong and swift response to a data breach would increase the likelihood of customers returning to a retailer to shop. Companies can increase customer retention by offering identify theft protection and by disclosing all relevant information about a data breach to customers in a timely manner, without putting any positive “spin” on that information or downplaying its seriousness.
A strong and swift response to a data breach might include:
- Evaluating the magnitude of the losses.
- Limit the damage once the breach becomes evident.
- Determine what caused the breach or where it came from.
- Assess any internal security problems or employee issues.
- Revise any current cybersecurity policy to reflect the experience.
- Increase employee training and education on data breach prevention.
- Contact and cooperate with law enforcement.
- Prepare and plan for legal problems.
- Review information systems backups and data logs.
- Assess the strengths and weaknesses of cybersecurity defenses and personnel.
To the extent that a company can establish an objective value on its prospective losses from a data breach, it should consider procuring cyber security insurance to recover some of those losses. Restoring lost reputations and repairing customer confidence will take additional time and energy. Having cybersecurity insurance coverage for other losses will free up a company’s resources to handle those more difficult tasks.