Customer confidence is at risk when a data breach occurs.
When TJX Corp. reported lower profits for the first quarter of 2007, CEO and president Carol Meyrowitz said "comparable store sales results in April were below our expectations, which we attribute to the unseasonably cold and wet weather across most regions of the country during the first half of the month."
Was she actually blaming April showers--not the biggest credit-card number heist in history--for disappointing sales at TJX discount stores T.J. Maxx, Marshalls, Bob's Stores and others?
But Meyrowitz's comment was not far-fetched.
"It's almost impossible to correlate a security breach to retail sales," says John Pescatore, a vice president at Gartner. Weather patterns, layoffs, expansion, fuel costs and yes, well-publicized security breaches--all of these affect a company's bottom line to varying degrees.
Indeed, it's safe to say that some of TJX's longtime customers will continue to shop at its stores. Yet others will view T.J. Maxx with suspicion for months or years to come, undermining decades worth of efforts to promote TJX's brands.
THE COST OF A BREACH
"Any breach has the tendency to dampen greatly whatever you are spending around your brand," says Kirk Herath, chief privacy officer, assistant vice president and associate general counsel at Nationwide Insur-ance in Columbus, Ohio. "I don't know if it cancels it out exactly, but for every dollar you spend on paid media, your negative, unearned media is out there as well."
"Customers will churn if they feel a company can't secure their data," says Larry Ponemon, founder of the Ponemon Institute, a research firm specializing in privacy and information management practices. "The customer translates bad data practices as lack of respect and thus may lose confidence" in any organization that can't keep information safe.
Case in point: Bank breaches and phishers posing as banks "may mean a slippage in online banking," where transaction costs are lowest and bank margin highest, says Ponemon. The bottom line and the brand are both affected--the consumer's view of online banking transactions as less-than-secure means they might choose to engage in more costly face-to-face transactions, while trust in a bank's brand has been also been undermined. According to a Ponemon Institute study, 36 percent said they do not bank online with two-thirds of those respondents citing the reason as fears or concerns about privacy. Of the 61 percent that said they do engage in online banking, more than half do not use automated bill pay or online cash transfer services.
In the case of TJX, it was widely reported that "auditors knew about these problems, yet everyone ignored the auditors," says Mary Monahan, an analyst with Javelin Strategy & Research. "Until [those with lax security practices] are punished, they are not going to change their behavior."
TOUGH TO MEASURE
Trying to wrap a dollar figure around brand value--and the attendant drop in its worth if a security breach were to take place--can be extremely daunting. "We're quantifying what trust means," says Nationwide's Herath. "I'd say that if we have this conversation again in two years, we'll have quantified it even more."
One of the reports Herath relies on to help add the numbers is the Ponemon Institute's annual Cost of a Data Breach survey. The 2006 report calculated the direct and indirect costs incurred by a company at $182 per compromised record.
In addition, the survey considers "opportunity loss." "When you have bad press, you are not likely to get as many customers. Someone offers you a Marshalls [credit] card, and you are maybe thinking twice about that now," Ponemon says.
|A Team Effort
Creating an incident response plan must be a collaborative effort.
The most effective incident-response plans--the ones most likely to minimize post-breach damage to brand or reputation--incorporate many points of view, not just IT's.
Members of an organization's public affairs, risk management, call center, human resources and legal teams, as well as representatives from the C-level, need to gather before an incident occurs to discuss possible effects on their divisions as well as strategies to respond to and contain a breach, says Ernie Hayden, CISO and manager of enterprise information security at the Port of Seattle.
If these relationships and plans are in place when a security breach occurs, "your response will be that much more effective and timely," says Hayden.
What's more, obvious though it may seem, organizations must adhere to the incident-response plan they've carefully crafted when something happens, plus test it along the way.
Kevin Mandia, president and CEO of Mandiant, an IT security consulting firm based in Alexandria, Va., agrees. Another common pain point is that "there is no high-level direction," no czar tapped to oversee that an incident response plan is adhered to in the event of a security breach.
Mandia says he has helped create incident-response plans for organizations ranging from Royal Bank of Canada to the Campbell Soup Co. While collecting information from staff in legal, IT, operations and various lines of business is a must, so is interviewing individuals one at a time. Employees who can speak freely about the work they do and how they perceive it intersects with others' responsibilities are going to contribute to an incident response plan that most accurately reflects how the organization truly functions.
"We don't have people's bosses sitting there, because it will influence the course of the interview," Mandia says. "We ask them, what are the things you are worried about [in the event of a security incident]? If the leak of medical records were their biggest fear, I'd ask them how they would know if that sort of data had been compromised. I'd also then ask the IT folks about the mechanisms in place to safeguard that information."
|A Team Effort (continued)
Once the information is collected, a practitioner must piece it all together to form a big-picture view of an organization and its incident-response strengths and shortcomings, and devise a plan accordingly.
Including multiple points of view in the IR plan will help develop one that truly mirrors the organization both before and after an incident. Remember, lots of people within an organization--not just IT folk--will be cleaning up afterward.
About 55 percent of the dollar value of responding to an incident and its fallout are borne by marketing, as that group seeks to replace customers who've taken their business elsewhere, according to the Ponemon Institute's annual "Cost of a Data Breach" survey from October 2006. Meanwhile, Javelin Strategy & Research notes that that less than one in five respondents--out of 2,800--said they would continue to shop at companies that sustained data breaches; it's extremely costly to replace those customers.
Customer support shoulders another 34 percent, as it advises customers of the breach via email and paper letters and responds to questions coming into the organization's call center about the incident. Legal, risk management and audit groups bear about 11 percent of the cost, conducting their own investigations into the incident.
Total cost incurred by 31 responding companies that sustained a data breach ranged from $226,000 to $22 million, with an average of $4.8 million spent per incident, notes the Ponemon report.
--Amy Rogers Nazarov
One piece of good news is that only 0.8 percent of the time does data breach extend beyond notification; in other words, "992 people will get a notice [that their personal data has been potentially compromised]," Javelin's Monahan says. "The other eight will experience actual fraud." The bad news is that many more customers than those who actually must fight fraudulent charges are left with an unfavorable view of the company.
Banks may see their brand tarnished in part because customers don't always understand the relationship between merchant banks, credit card associations and retailers. The mud from a breach splatters on lots of different links in the payment chain.
MANY ENTITIES AFFECTED
The repercussions from the BJ's Wholesale Club breach in 2004 caused "a huge reputational hit for our institutions," says Bruce Spitzer, director of communications for the Massachusetts Bankers Association. "Customers [erroneously] tend to think that maybe the bank is at fault because they have to wait for new cards," he says, noting that banks not only absorb the cost of issuing new cards--which the MBA puts at about $25 each--but also the cost of any fraud that arises from abuse of that card number.
In April, the MBA filed a class-action lawsuit against TJX in U.S. District Court in Boston, seeking to recover tens of millions of dollars in damages. The Connecticut Bankers Association, the Maine Association of Community Banks and other individual banks have joined the suit.
"Is retailers' primary objective to protect customers or not?" Spitzer says. He hopes the suit will make "retailers finally wake up and admit they have a financial incentive to invest in better systems." Federal legislators such as Rep. Barney Frank (D-Mass.) may soon introduce bills that would hold retailers responsible for these costs; similar efforts are being discussed at the state level in Con-necticut, Minnesota and California.
Potential brand damage to organizations can serve as a lever to pry loose funds for new security projects that defend against data theft, IT professionals say. "Because we have been able to quantify it, we have had some very good experiences with selling security and privacy" to top management, says Nationwide's Herath.
Be aware, though, that while marketing might have a strong interest in security products' ability to protect brand, IT may well be thinking in other terms, like those products' scalability, effectiveness and price.
Dealing with a PR crisis is nothing new...unfortunately.
CONSIDER ALL RISKS
During product or process evaluation, it's necessary to consider the entire spectrum of the risk you seek to minimize. Brand damage is one measure, but so is the risk of incurring fines for things like failure to comply with PCI. Under PCI, credit card processing organizations that fail to implement specified procedures to keep data safe may be hit with costly fines; at the extreme, they may be banned from processing credit card transactions.
Both of these matter dearly to Beverly Magda, CIO of The Humane Society of the U.S. "We would rather put the money into securing our systems than in paying [PCI and other] fines, and losing the trust of our donors," she says.
While "it's hard to put loss of reputation into dollar figures, if donations were to go down after a security breach," it's a metric that could not be ignored, Magda says. Julia Wellman, senior member of the technical staff at Carnegie Mellon Software Engineering Institute's CERT program, considers the difference between governance--overseeing and ensuring the mission of an organization is being met--and management, which is more concerned with executing and implementing the things that need to be done to keep the organization operating according to its goals.
Ideally, both sides "work together to build and maintain a positive image in the marketplace," she says. "It's hard to build, and it's easy to lose."
First Phishing... Now Kiting
A new form of brandjacking, called domain kiting, takes advantage of ICANN loophole. by Amy Rogers Nazarov
Just Admit Your Mistake
Failure to take responsibility is a common response, but crisis communication experts say apologize... and fast.