Because companies accept and store sensitive, personally identifiable consumer customer data, they are responsible for safeguarding it against theft by cybercriminals. This should be common sense. Yet, according to a Ponemon Institute study commissioned by Centrify, only about half of the marketing and IT/security professionals polled agree that their companies “have an obligation to take reasonable steps to secure [customer] personal information.”
Come May 2018, the European Union has a big eye-opener in store—the General Data Protection Regulation (GDPR)—for the other 50 percent whose management teams apparently believe they are under no serious obligation to protect sensitive customer data.
The Ponemon study, “Impact of Data Breaches on Reputation and Share Value,” is interesting in that it polled three separate groups: 448 IT and infosec professionals, 334 senior-level marketers and corporate communications execs and 549 consumers. Respondents were from the United States, UK, Germany and Australia.
Meanwhile, consumer respondents’ viewpoints are heavily weighted in favor of organizations taking responsibility protecting their sensitive data, with 80 percent believing organizations have an obligation to take reasonable steps to secure their personal information. And they have good reason to think this: More than 60 percent of consumer respondents say that during the last two years they have been notified by a company or government agency that their personal information was lost or stolen as a result of one or more data breaches. And more than 40 percent of IT/infosec professionals say their organization experienced a data breach involving the loss or theft of more than a thousand records containing sensitive information.
The study report states for clearly: “To protect brand and reputation, it is critical the C-suite and board of directors address consumers’ expectations about how their personal information is used and secured.” According to the study, however, that may not be in the works for a good number of firms. Some 45 percent of IT/infosec and 42 percent of marketing and corporate communications pros “don’t believe that senior management understands the importance of preserving [their company’s] reputation.”
Ponemon unearths what may be the most salient data point on the subject: that 61 percent of IT/infosec professionals do not believe their companies “have a high level of ability to prevent breaches.” Real-world corporate and governmental security breaches have reached epidemic proportions. CEOs, CIOs, CISOs and others have lost their jobs. The average cost of a data breach is $3.62 million, according to another Ponemon Institute report, the “2017 Poneman Cost of Data Breach Study.” Loss of brand reputation may be difficult to put a price on, and it will differ from company to company. The companies that aren’t prepared to deal with a security breach are the ones that often face the most severe consequences.
Consequences of Failing to Protect Customer Data
The Ponemon data implies that a trust gap is growing between consumers and corporations. What’s appears to be happening, based on the data, is that consumers are over-trusting. How long before that bubble breaks? And what is the outcome in terms of diminished brand for the companies that don’t safeguard their customer data? What about possible regulation? In all likelihood, consumers who wind up mired in identity theft will blame the breached company. But as consumers go through their second, third and fourth breach, they are likely to become more selective about who they do business with. Ultimately, loss of brand reputation becomes a loss of customers.
Ponemon carried out a financial impact study on stock loss and concluded it averages 5 percent, beginning from the date the data breach is disclosed. But how long before the stock price rebounds, if it does rebound? The stock of companies that are properly prepared for a security breach tend to bounce back in seven days, on average, Ponemon found. Companies that are ill-prepared for a security breach saw their stock decline last more than 90 days on average. Ponemon stopped tracking stock prices at 90 days, so we don’t know whether typically the stock ever fully rebounds.
In an August 2017 report, Heidi Shey, senior analyst at Forrester, listed several other possible costs of failing to protect sensitive customer data:
- Lawsuits and settlements that can drag on for years with attendant legal fees. Target wound up paying $18.5 million just for the settlement resulting from its data breach;
- Regulatory fines and assessments;
- Improving security and audit requirements;
- Loss of employee productivity and employee turnover;
- Technical response (incident response services, forensics);
- External communications (notifying affected individuals as well as government and regulatory agencies);
- Identity theft monitoring for customers; and
- Outside PR help.
The costs required to safeguard sensitive customer data are far less at most companies than the costs of failing to protect it. So why are so many companies ill-prepared to deal with this well-documented problem that is on the rise in the United States? Just look at Target and Equifax for what can go wrong.