Fines for non-compliance with data regulations are just the tip of the iceberg
ICO fines should be the least of a company's worries should it suffer a data breach according to Nigel Hawthorn who says on-going and potentially business-fatal repercussions of a data-breach that should be the main concern.
Nigel Hawthorn, European spokesperson, Skyhigh Networks
When announcing the new UK Surveillance Bill, home secretary Theresa May began by saying that technology is having a profound effect on our lives and that it continues to offer many opportunities, however, with it comes great threats. While many may disagree with the rest of her speech and the contents of the bill, it's hard to argue with her on that point. For companies today, the internet is no longer a safe place. With the increasing frequency of state-sponsored cyber-attacks, the use of unsecure cloud applications to store data, and the unwittingly inadequate behaviour of employees when handling information, the potential for a data breach has never been higher.
In the vast majority of cases, a data breach is likely to impact one party more than anyone else – the consumer. With companies collecting ever-more information about their customers, any data breach will probably involve the loss of personal information. In a bid to protect consumers, companies are governed by data regulations such as the Data Protection Act, with fines of up to £500,000 handed out for non-compliance by the Information Commissioner's Office (ICO).
The possibility of these huge fines should be enough to get businesses to act and put in place the required measures to remain compliant. However, it's the other on-going and potentially business-fatal repercussions of a data breach that should really have firms in a cold sweat.
To begin with, a data breach of any size will have a significant impact on a company's reputation. A fall in consumer trust will lead to a loss of customers, a loss of revenue and, depending on whether the company is listed, a reduction in share price. Take TalkTalk for example; in the immediate aftermath of its data breach its share price nosedived to 225.3p, a drop of 10 percent, a reflection of the uncertainty that surrounded the company. In the future it may also find it difficult to attract new business as well. Are consumers going to choose TalkTalk over other competitors, which haven't experienced a breach? It's unlikely. Unless, of course, it offers much cheaper deals, a decision that will impact predicted forecasts further.
The remedial costs of putting things right are a huge expense too. A business that suffers a data breach needs to get their existing customers, potential new customers and even their employees back on side. This can involve many things, for example, if a breach compromises bank details, the offending company may have to offer free credit monitoring services to those affected so they're made aware of fraudulent activity on their accounts. For breaches that impact consumers, firms will have to dedicate resources to deal with disgruntled customers because not responding, or taking too long to respond, will simply make the situation worse. Employee morale is also important to consider, even if they personally haven't had their data compromised, no one wants to work for a company that is surrounded by bad news. Businesses will need to invest resources into ensuring all directly and indirectly affected groups are looked after.
Another potential ongoing ramification is lawsuits from victims. When an individual has their data compromised, they can become vulnerable to targeted cyber-attacks and argue that they should be compensated for the breach in trust and privacy. Recently Sony paid out US $8 million (£5.3 million) to employees impacted by its 2014 breach and more than 2,000 current and former employees of Morrison's are suing the supermarket after their details were leaked online. Perhaps more scary for businesses is that claimants can claim for distress without having to prove monetary loss, a fact highlighted in the Google vs Vidal-Hall case.
It's undoubtable that a data breach can have catastrophic consequences for a company of any size. The ongoing fallout can last years and organisations will have to devote time and resources to regain public trust. Then, to rub salt in the wound, the company will have to deal with the ICO fine which will likely come with a press release, meaning even if the public had forgotten, they'd be made aware of the breach once more. Ultimately, if the seemingly never-ending list of expensive and damaging data breach repercussions isn't enough get businesses to remain compliant with regulations, what is?
Contributed by Nigel Hawthorn, European spokesperson, Skyhigh Networks