Are we underestimating the business impact a security breach may have on our clients? As information security professionals most of us are familiar with case studies and analysis of the costs associated with a data breach. Aside from the loss of reputation and good will, there are the substantial costs of breach notifications, legal and professional fees, fines, and lost sales. Lost sales due to a data breach, the focus of this blog, can vary widely based on the type and severity of the breach, as well as business factors specific to the type of organization affected.
How might a breach affect your company’s sales? My prior assumptions on the topic changed significantly last week after listening to an ISSA presentation by Julie Machal-Fulks of Scott & Scott LLP, a New York & Dallas firm with legal expertise in data breaches.(1) Scott & Scott commissioned a study by the Ponemon Institute in 2007 on “The Business Impact of a Data Breach” where up to 20% of customers affected by a breach notification would consider taking their business elsewhere.(2) In a separate 2008 study by the Ponemon Institute, thirty-one percent of surveyed people terminated their business relationships with a company that suffered a data breach.(3)
Then Julie mentioned a statistic that I had not heard before. How might customers react to a second breach disclosed by a company? Up to 100% of its customers might terminate their business relationship. I found that number startling. After all, how many Berkeley students switched schools after that university disclosed its second data breach? I would expect none did, despite a loss of reputation for not protecting students’ private information.
But what if you are an entity disclosing a second serious data breach? According to a 2007 conference paper published by the Kansas City Federal Reserve, “While research has shown a disconnect between expressed consumer sentiment on privacy and their actually behavior, it has also shown that consumers respond strongly if a second data breach closely follows the first.”(4)
I believe several factors lead to different outcomes in this situation. If you produce a product or service that is highly desired and unavailable elsewhere, then fewer customers may terminate their relationship, even after a second breach. On the other hand, if your company’s products or services are viewed as a commodity then pay close attention to what Julie said, and take a fresh look at your security strategy, policies, training, and infrastructure.
(1) Scott & Scott LLP, website.
(2) The Business Impact of a Data Breach, pdf.
(3) Consumers’ Report Card on Data Breach Notification, pdf.
(4) Nonbanks in the Payments System: Innovation, Competition and Risk- a Conference Summary, pdf.