Although the immediate consequences of a data breach are swift and terrible, the full impact can take years to become evident. Companies that suffer a significant breach face ongoing challenges post-incident. These may include:
- Reputational/brand damage including challenges with customer retention
- Legal costs ranging from fines and penalties to class action lawsuits
- Operational disruption (including executives get fired and teams spending time away from daily tasks to deal with fallout)
- A sharp decline in stock price or business valuation/acquisition price
- Other financial losses including the cost of breach investigation, restitution, and PR management
According to the 2019 Cost of a Data Breach report from the Ponemon Institute and IBM, organizations that must meet high data protection regulatory requirements see 53% of breach costs in year one, 32% in the second year, and 16% more than two years after the breach. This “long tail” effect means some companies may still be digging out from under a previous breach when the next one hits.
Anderson Lunsford, BreachRX founder, shared his view. “No company is immune to the effects of a data breach. But those that respond well tend to mitigate the short and long-term costs of a data breach and bounce back faster after an incident.” Here’s a brief look at the role breach response has played in several incidents.
Examples of Excellent Data Breach Response Are Hard to Find
A quick review of data breaches over the past five years highlights an interesting trend. There are dozens of examples of badly handled responses for every example of a reasonably good response. That’s not surprising since cautionary tales make for better headlines. A data breach that is properly addressed rarely provides ongoing news fodder. In fact, minimizing bad press by doing things the right way is a defining characteristic of a well-handled breach.
Anthem, a Blue Cross Blue Shield insurer, fits the bill in at least some areas of breach response. In 2015, Anthem was hit by a phishing scam that resulted in a data breach impacting nearly 80 million customers. The company took immediate action to curb the impact of the breach. They:
- Went public fast (within days of the incident rather than weeks or months)
- Set up a dedicated micro-site (remarkably free of legal jargon) to communicate with consumers throughout the process
- Offered a public apology from leadership (without weasel words to minimize what happened)
- Took steps to offer credit monitoring immediately instead of waiting for court ordered restitution
- Made a sizable but proportionate investment in improving security protocols to prevent a repeat incident
In the end, the company paid $115 million in a class action settlement that was finalized in 2018. Additional costs for hiring expert consultants, notifying the public, and managing other response activities racked up millions more.
What about fines and penalties? When it was determined that the hack was likely carried out by a nation-state attacker, state insurance commissioners decided not to levy fines against Anthem. Instead, the company set aside a few hundred million to improve cybersecurity and prevent a repeat incident.
Considering the size of the breach, the total costs per consumer weren’t outrageously high. IBM’s 2019 report puts the average cost per compromised record at $150. That would have been a $1.18 billion price tag for a breach this size. Even including all the costs outside the class action settlement, Anthem’s apparent outlay was far lower than this. In addition:
- The stock remains well-respected as a good investment
- The company still serves over 78 million consumers directly and through its affiliates
- The company’s name is not synonymous with “bungled data breach.”
Not bad in the aftermath of one of the largest healthcare data breaches of all time.
The High Cost of Getting It Wrong
Sadly, there is no shortage of examples of badly managed data breaches. Yahoo is infamous for its poor handling of billions of hacked user accounts. They kept information about the incidents secret for years. Verizon knocked $350 million off their purchase offer for Yahoo as a direct result of the breaches and subsequent mishandling. the SEC also fined Yahoo $35 million for failing to promptly notify investors of its 2014 breach. The class action lawsuits are still ongoing with an initial settlement offer of $85 million for 200 thousand of the impacted users. An additional $80 million is on the table for shareholders who were misled about the state of Yahoo’s cybersecurity.
This flurry of blame and financial consequence will no doubt be the tip of the iceberg in terms of total costs over the coming years. Yahoo’s reputation may never recover. These days, no one really expects their Yahoo email account to be fully private or secure. Verizon’s acquisition hasn’t helped the image of the email provider either. Mistrust is high, with cybersecurity bloggers strongly encouraging users to ditch their Yahoo accounts and switch to competing platforms.
How Brands Are Hurt by Breaches
In terms of reputational damage, Target and Uber make interesting case studies. Varonis.com takes a close look at how brands are impacted over the long term by data breaches. Target was hit hard by loss of customer loyalty in the year after their massive breach. “Target’s consumer perception took a 54.6 percent dip the year following the data breach. In the following years, there was a generally steady uptick with an 84 percent increase from 2014 to 2018.” Firing the CEO was a new move in the cybersecurity breach response playbook for Target, but it appeared to have little effect on regaining customer loyalty.
Uber has still only partially recovered from its own debacle in 2017. The company failed to disclose its data breach promptly as required by law, compounding the damage. Interestingly, according to Varonis, it appears that millennials are much less forgiving than older shoppers when it comes to brand loyalty after a breach incident. This means the consumer brands of the future may face an even steeper loss of customers in the aftermath of a data breach.
Most Data Breach Response Plans Are Missing Key Elements
One might assume that debacles occur because companies are simply failing to execute on well-designed plans. That certainly happens, but there’s more to the story. The 2019 Verizon Incident Preparedness and Response Report indicates that the average response plan is full of holes large enough to drive an Uber through.
Incident Response Plan Statistics
- Less than 20% cite legal and regulatory requirements
- Less than 20% cite internal security policies and procedures
- Only 40% are periodically reviewed, tested, and updated
- Only 10% require internal stakeholders to periodically share knowledge
- Only 25% require metrics tracking
Better Planning Now Could Save Millions Later
With so much room for improvement, the question is obvious. How much money could companies save with better response planning?
It’s a safe bet to say the figure is in the millions. According to the Ponemon/IBM report, the average cost of a breach world-wide is $3.92M ($8.19M in the U.S.). Compliance failures tended to increase the average total cost by $350,000. In contrast, companies studied that had an incident response team and extensive testing of their response plans saved over $1.2 million in the aftermath of a breach.
According to Lunsford, this represents low hanging fruit for cyber response planning. “There are three key areas where plans can be quickly and measurably improved. Formation of an Incident Response team, extensive testing of the IR plan, and avoiding compliance failures are all out-of-the-box capabilities with BreachRX. Combined, these factors could save companies almost 40% in the average breach. That’s a savings of $1.55M worldwide and $3.24M in the U.S.”
No company can choose to be unhackable or 100% immune to data breaches. But they can choose to be better prepared—especially with the range of resources readily at hand.