Brand and business reputation suffer following a data breach. A recently released survey puts some numbers to the losses and shows just how much that damage can be, with breach of customer data being the most costly. The study, independently conducted Ponemon Institute LLC and sponsored by Experian® Data Breach Resolution, is believed to be the first study to compare the impact of the loss of confidential customer or employee information and sensitive business information with loss of brand and business reputation.
The study surveyed 843 senior-level persons with in-depth knowledge about their companies brand and reputation management objectives. Some of the highlights found, and resulting key take-aways from the study are:
- With an average economic value of corporate brand or reputation at $1.5 billion (ranging from less than $1 million to greater than $10 billion), the average loss in the value of the brand ranged from $184 million to more than $330 million, depending on the type of information lost in the breach.
- As a percentage of annual gross revenues, the economic value of corporate brand or reputation ranged from less than 10% to greater than 5 times annual gross revenue, and depending on the type of information lost in the breach, the value of brand and reputation could decline as much as 17% to 30%.
- Reputation and brand image are inextricably linked.
- In some cases it can take longer than a year to restore reputation and brand image.
- Some breaches are more devastating than others, with breach of customer information being most devastating.
- 82% of the respondents stated their organizations had a data breach involving sensitive or confidential customer information, on average, 2.7 breaches in the past 2 years. 76% say the customer data breaches had a significant or moderate impact on reputation.
- Before having a data breach, less than 50% had incident response plans in place for customer data breaches; after a breach over 75% put a plan in place.
- What you should do: respondents strongly believed the top two steps in responding to data breaches are: (i) conducting investigations and forensic evaluations; and (ii) working closely with law enforcement. Following those two steps: (iii) immediately respond to the incident, (iv) protect those affected from potential harms such as identity theft; and (v) conduct employee training and awareness programs.
As a lawyer who counsels clients in these matters, I'd also suggest now is the time to:
- Review and update your data breach response plan.
- If you don't have one, do one now!
- Make sure you are in compliance with the laws enacted in 33 states with respect to protection of social security numbers.
- Make sure you are in compliance with the laws enacted in 10 states regarding security for personal information.
To access the study, click here: http://www.experian.com/data-breach/reputation-impact-study.html.