Data Breaches - Beyond the Impact of Fines

Tuesday, September 27, 2011

Emmett Jorgensen


Article by Emmett Jorgensen

Businesses take note: Data breaches have a far greater impact than just potential fines.

With several high profile data breaches this year, federal regulators have been quick to propose data breach notification bills and heavy fines for organizations that fail to keep sensitive and confidential information safe. 

The real concern for organizations that have experienced a data breach, however, should be customer confidence.

A recent article in the Tech Journal ( delves into the effects of data breaches, using survey information to demonstrate how they affect customer loyalty and confidence.

The article highlights a recent survey by SailPoint Technologies which suggests global consumers have been losing confidence in companies due to the frequency of data security breaches.

"The widespread impact of data breaches like Epsilon and Sony PlayStation, where millions of consumers were impacted around the world, is making customers more cautious about conducting business with certain financial institutions and retailers," said Jackie Gilbert, vice president of marketing and co-founder at SailPoint.

"These companies obviously spent millions to recover from these data breaches, but the longer term and harder-to-measure costs will be the erosion of customer loyalty and decline in brand perception."

The article goes on to relay how the lack of confidence is affecting consumer behavior: "a security breach at a financial institution or retailer can severely impact customer loyalty. Case in point: 16% of Americans, 24% of Britons and 26% of Australians said they would no longer do business with a bank, credit card company or retailer if a security breach occurred that potentially exposed their personal and financial information to theft."

Although regulatory fines are painful, the loss of customers and business should really concern businesses.  Organizations and Infosec Professionals (CIO's, CISO's, etc.) would do well to take note of these results. 

Cross-posted from Kanguru Blog – Technology on the Move!

Possibly Related Articles:
Information Security
Policy breaches Regulation Data Loss Prevention Trust Customers
Post Rating I Like this!
Javvad Malik Nice post Emmett. However, are there any metrics which support the hypothesis that companies actually suffer directly by customers leaving? I used to share your view that the reputational impact upon companies can be large. But now I'm not too sure.

So many large organisations have been breached, yet I have yet to see a mass exodus of customers following a breach.

In the aftermath of the TJX credit card loss, someone was interviewed shopping at TJX and her statement was, "well they must have fixed it now".

I've yet to see any organisations I've worked for who have used RSA tokens go for an alternative.

I may be wrong as I don't have any data to back it up. But having worked within some of these large organisations, the attitude seems to be changing with a view that, "look Sony, TJX, RSA, etc got mega-breached, but they didn't die... and they probably got a lot of free publicity out of it."
Emmett Jorgensen I didn't see any metrics within the survey to directly support customers leaving.

However, even if the numbers aren't spot on, which surveys rarely are, it still supports the idea that these breaches have a negative impact on a company image.

Also, I think a change in perception and habits are a very strong possibility.

There are a lot of angles to this:

- Are customers less apt to supply personal details to companies after a data breach?
- Is there a trend to use cash rather than credit card after a breach?
- Does it become harder to obtain new customers?

This list goes on...

I think it will take some time to really understand the fallout from these breaches.
Emmett Jorgensen An interesting follow up on this post... I just saw an article on CSO online which claims privacy is the main reason gamers don't purchase downloadable content for their gaming consoles.
Emmett Jorgensen I was kind of thinking the same thing. However, in this case I took "privacy" to translate into "infosec" due to the PSN data breach.
Javvad Malik You've probably seen this today about how Sony have stated the PSN hack actually increased their customer uptake of online services...

Interestingly, I done some google-fu and also noted this article which looked at TJX a year after their infamous hack and the first finding they put down is that it didn't affect revenue or stock price

I'm not saying this to say you're incorrect in any way - but rather it's quite an interesting topic. As you mention Emmett, it will take some time to fully understand the fallout from these breaches. But it does beg the question as to how seriously people who aren't security savvy consider security to be... possibly not as many as we would hope / think?
Emmett Jorgensen Thanks for the links Jawad.

I think when you see mentions of things like "insurance" (which I assume to mean data breach insurance) and credit monitoring it speaks to the customer confidence issue.

Isn't this essentially buying customer confidence?

TJX and Sony are spending significant amounts of money to prevent a loss of confidence.

The TJX article states that the breach "could end up costing the company $1 billion over the next few years".

They may be retaining customers despite the breaches, but what effect is this having on their bottom line?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.