Data breach! On winning the reputation game - a question of leadership
Data breach! On winning the reputation game - a question of leadership
It can be tempting to keep schtum on discovery of a data breach, especially one that has gone un-noticed for a while. Companies from Yahoo to Uber have fallen foul of this in recent times and once made public, the impact on their reputations has been swift and punitive. We all make poor decisions and we all make mistakes. The trick is to own your mistakes, learn from them and compensate or protect anyone who may be affected by your poor decisions. Being caught actively trying to hide a breach, or burying the investigation and failing to alert organisational stakeholders demonstrates questionable morals, poor judgement and weak leadership. 

The thinking might go like this: “By owning up to a data breach we risk loss of revenue, legal action and reputational harm on top of the bill we already face for repairing the damage and improving security”. However, with around a third of us having been affected by a data breach we are becoming conditioned to expect that data breaches will happen; these are forgivable providing they are handled correctly, ie according to the prevailing rules and regulations.

In addition to the reputational damage the cost of staying quiet is potentially far higher than coming clean quickly which, from 25 May 2018, organisations will be legally obliged to do: the General Data Protection Regulation (GDPR) seeks to safeguard people from the consequences of a breach by requiring data holders to notify the authorities, and the individuals affected, within 72 hours of discovering that security has been compromised.

The trouble with sweeping a security breach under the carpet is that it exposes clients and other organisations to further damage: individuals are not warned to change their passwords, and other organisations using similarly vulnerable software remain ignorant of the dangers. This means attackers who have targeted large data sets, gain valuable information that can either be used to perpetrate identity fraud (name, address, national insurance number etc), or acquire online credentials that can be reused across a range of premium or sensitive sites. Leaders who collude to cover up a data breach are effectively acting to support the data thief and their criminal activities.

The cost of non-compliance

The GDPR aims to give breached organisations no hiding place. Failure to comply with the 72-hour disclosure rule comes at a potentially crippling cost, with fines up to two percent of annual worldwide revenue or €10 million, whichever is higher, for failure to disclose. That is an eye-watering penalty compared with the maximum £500 000 the Information Commissioner's Office (ICO) can currently impose.

With stakes that high, even though many of the GDPR terms are currently still open to interpretation, what organisation would want to test them in court?

Although the new rules are an EU regulation, Brexit changes nothing. Not only was the UK a key proponent of the GDPR, but the regulation is designed to apply to organisations not wholly active in Europe as much as those whose national market is inside the EU.

For some organisations, if an ICO fine is not enough to sink them or make them think twice, in a competitive market they may well be damaged by additional costs such as loss of customer base and reputation.

How to win the reputation game

Ultimately, responsible handling of data is not about avoiding fines: it is about safeguarding reputation. You can put a price tag on non-compliance with the GDPR in terms of the penalty available to the regulator, but what price loss of shareholder and customer confidence?

Providing good security, adopting an ethical approach to customer data, and making sure you are fully compliant with all data protection legislation is a winning formula for strengthening an organisation's stewardship and its standing.

As data breaches gain more and more coverage, it seems to follow that consumers may not just flock for a service with best usability, nor will organisations solely compete on price. They will also compete to demonstrate their security credentials to a possible user base.

No one is being so bold as to say that your organisation is above being the victim of a breach. In fact, Robert Mueller, former FBI director, suggests that that there are only two types of company: those that have been hacked and those that will be. What is key though is how your organisation is geared up for protective monitoring and breach alerting and, furthermore. how your organisation can respond when an incident is discovered.

So, consider these questions:

Does your organisation employ any form of protective monitoring and breach alerting?

Do you have a robust and tested incident response plan, and does this cover elements such as authority liaison and media training in addition to technical controls?

Do you understand your mandatory obligations under GDPR and have you factored this into your roadmap?

Have you protected your customer information through anonymisation and robust encryption?

Do you have an incident response plan for breaches, and has it been robustly tested?

Do you understand the ways to report a security breach?

In the words of Uber's newly appointed CEO, Dara Khosrowshahi: “The truth is that there is a high cost to a bad reputation.” Developing a strategy to handle a breach effectively and conduct appropriate reporting will, in the vast majority of cases, come at a far lower cost than non-compliance – both financially and reputationally.

Contributed by Graeme Park, senior consultant at Mason Advisory

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.