Many executives express doubt that a data breach will have a long-term or even impactful effect on business. They feel it would, at worst, be a news story that can be outlived if it even occurs. The “It can’t happen to me” view is prevalent. The experiences from companies that have had the misfortune of [a] public data breach event show us that real risks clearly exist, ranging from lost revenue to lawsuits to executive-level terminations. The impact seen from a data breach even occur in the areas of risk that every CEO is ultimately responsible for managing—revenue, expenses, productivity, and brand equity.
The first risk a business faces in the aftermath of a public breach event is to revenue. Skeptical CEOs are reluctant to believe that customers really leave because of a data breach, choosing instead to believe that even if customers initially leave, they will return. In reality, the number of customers that leave is dependent upon “switching costs;” in other words, how painful it is for the customer to move their business elsewhere. For retail stores, switching costs are typically very low, so retail businesses face a greater risk of revenue loss due to a data breach. Target’s SEC filings showed both traffic and transaction volume decreased year over year for the retailer during the year after their breach. Because this was not the case for Target’s competitors, it supports a position that argues that Target’s customer confidence indeed took a hit in the wake of the breach and that it had an impact on revenue from sales.
Public polls offer limited insight as some polls show that 60% of people are inclined to change buying behavior while other polls show only 40% stating that buying behavior would change. Regardless of what people say in a poll, the concern is what customers will actually do, and statements made in the hypothetical may be very different from what occurs in reality. For medical practices and retail banks, switching costs are typically higher as many people are not willing to find a new doctor or complete the paperwork required for new bank accounts or go through the trouble of setting up all new online bill payments.
Another important factor is the amount of trust that forms the basis of the relationship with your customer and how much damage the breach does to that trust. Here is where banks stand to fare worse, despite higher switching costs. Even if customers eventually come back, and initial loss of revenue may cause a strain on cash flow in the short term, which, for companies without sufficient cash reserves, may create a financial situation [that] is difficult to overcome. Smaller organizations tend to have less of a cushion, especially in low margin businesses. A publicly traded company must also consider the impact of news on the opinions of analysts and investors, as a drop in stock price may trigger loan covenants and other barriers to obtaining financing.
The tremendous cost of cleaning up after a data breach will exacerbate the financial pain because as revenue is declining, expenses are rising. Together the profitability squeeze may not be sustainable. The Poneman 2015 Cost of Data Breach Study surveyed 350 companies to calculate the mean average cost of a lost or stolen information record and found it to be just over $154 each. Another organization, NetDiligence, reported on 160 breach events large enough to result in an insurance claim and found the per record cost to be $964. Large variation exists in breach events which makes calculating a mean average extremely difficult and can render the estimate of limited use. Nevertheless, it is helpful to have visibility into the potential impact, especially given the growth in both probability and impact of data breach event both domestically and globally.
The largest and most immediate expenses faced by a company after a data breach are those associated with legal and technical investigations and system recovery. Not as immediate, but not far delayed, are expenses for legal defense and, if the breach is for payment card data, card replacement costs, contractual obligations and payment card information (PCI) fines and penalties. Finally, smaller, but still notable near term costs may need to be borne for PR, victim notification and resolution as well as additional advertising and incentives to entice customers to return.
Longer term, millions of dollars in expenses may accumulate from legal fees, fines and penalties. Heartland Payment Systems paid over $140 million in costs, fines and penalties following a data breach. TJ Maxx had a data breach of $162 million. Target’s cost is $252 million and counting. The list of companies with double and triple-digit million dollar costs related to data breach events is already long and still growing. The vast majority of data exposures are not reported and are small and of little financial impact to the companies experiencing or causing them, however, it is unwise to discount the less likely, but still entirely possible. There is just too much at stake.
In some circumstances, employees, managers and even executives may be terminated as was the case with Sony’s Chairman, Target’s CIO and CEO, Ashley Madison’s CEO and many others. A change in leadership, especially amidst a crisis, can be distracting and unnerving to the employee population impacting productivity, even if the transition happens quickly. But, most transitions are not quick. Finding, recruiting and on-boarding a new employee at any level takes time and interrupts productivity. In addition, companies often face additional, subsequent turnover of employees who are not happy with the departure of someone they liked or their replacement. It may take a year or more for that to settle.
In cases where a data breach exposes the employee population’s personal and/or financial information, it would be naïve to think that employees are able to focus fully on work even in the face of questions from the public, friends and family as well as tremendous personal financial exposure. The larger the number of employees impacted, the longer the conversation will continue to exist and distract. In these instances, it is even more important for management to communicate clearly, accurately and proactively and to offer support for the individual employees at risk for identity theft.
Given the difficulty of assessing the actual value brand, it is even more challenging to quantify the negative impact that a data breach can have on a previously strong brand. Brands can motivate buying behavior and support premium pricing, which translates to real revenue and profitability. Companies buy and sell brands like physical assets, and brands are carefully managed and, when threatened, defended vigorously through expensive litigation. No one would suggest that a breach can boost brand valuation just as no one would say that all breach events would have an equal impact. But context, timing, size, announcement and other factors may yield a decline, whether large or small, to a company’s brand strength. YouGov, which publishes a brand strength index, compared the impact of Target’s data breach announcement to that of Home Depot. Target has been publicly criticized repeatedly for the many mistakes it made in handling their data breach, while Home Depot executed according to advice published by many experts as best practice. Both brands showed damage, but Target’s brand suffered more and the impact lasted longer. Companies who take care to prepare, prevent and properly respond can be in a better position than those that leave their corporate image to chance.
Written by Deena Coffman, former CEO of IDT911 Consulting. Reprinted with permission from Today’s Insurance Professionals® Copyright © 2016 International Association of Insurance Professionals (IAIP)