Data breaches: don’t make a catastrophe out of a crisis

Successfully dealing with a data security breach can limit reputational damage as well as financial losses

It hasn’t been a great year for ride-hailing app Uber, what with lawsuits, allegations of sexual harassment and regulatory challenges to the company’s business model in several territories around the world.

But one of its biggest headaches has been, if not self-inflicted, at the very least mishandled by the company to make it far more damaging than it might otherwise have been.

In November, chief executive Dara Khosrowshahi revealed that in 2016 the company experienced a massive data breach. The personal information of around 57 million users and drivers worldwide, stored on a third-party cloud computing platform, had been stolen.

And it emerged that, rather than disclosing the incident at the time, Uber instead decided to pay the hackers a ransom of $100,000 to destroy the stolen data.

That decision will have legal consequences. A class-action lawsuit has been filed against the company in California, and data privacy regulators in the United States, UK and Italy have announced plans to investigate.

“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers,” says James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner’s Office.

“If UK citizens were affected, then we should have been notified so that we could assess and verify the impact on people whose data was exposed.”

Indeed, responsibilities around reporting data breaches are set to increase significantly with the advent of the European Union’s General Data Protection Regulation next year.

Companies will be required to report breaches within 72 hours or face potential fines of up to €10 million or 2 per cent of their annual global turnover, whichever is the highest.

Meanwhile, EU member states will also be required to implement the Directive on Security of Network and Information Systems next year, again tightening up reporting obligations.

However, the financial risks of a data breach go beyond the penalties that can be imposed. Research from the Ponemon Institute, commissioned by security firm Centrify, found that the stock value index of 113 companies declined by an average of 5 per cent the day a breach was disclosed and in some cases up to 7 per cent. The share prices hadn’t recovered after 120 days.

The companies also experienced a customer churn of up to 7 per cent and 31 per cent of consumers impacted by a breach said they’d cut their ties with the organisation.

In fact, data breaches rank in the top three worst events for brand reputation, following terrible customer service and an environmental disaster; they even damage a brand more than a scandal involving the chief executive.

And some organisations tend to suffer more than others. “Regulated organisations, such as financial service companies and healthcare providers, tend to experience the most severe cost impact as measured by decline in share value, diminished brand and customer churn,” says Dr Larry Ponemon, chairman and founder of the Ponemon Institute.

“A recent example is the Equifax mega-breach involving the theft of more than 145 million consumers’ sensitive and confidential financial records.”

So how can organisations protect themselves?

According to the government’s Cyber Security Centre (CSC), the most common breaches or attacks arrive via fraudulent emails, tricking staff into revealing passwords or financial information, for example, or opening dangerous attachments. Next most common are viruses and malware.

And, says the CSC, the vast majority of these breaches could have been prevented using the government-backed Cyber Essentials scheme, aimed at helping organisations take basic steps to protect themselves against the most common types of cyberattack.

Particular weaknesses in the UK, it says, include poor password strength, a lack of formal policies on managing cybersecurity risk, poor cybersecurity training and a failure to plan for an attack with a cybersecurity incident management plan.

The key elements of this plan should cover containment and recovery, including damage limitation; an assessment of how the breach has increased future risks; a list of organisations and individuals that need to be notified; and strategies for dealing with the fallout of the breach, including reputational damage.

According to Chris Butler, principal consultant in cyber-resilience and security at Sungard Availability Services, it’s important to get your message out quickly, and that means doing as much of the work as possible in advance.

“Organisations must dedicate time to identifying potential scenarios, developing the appropriate messaging templates and selecting appropriate communications channels for each situation,” he says.

“It is recommended to carry out a comprehensive stakeholder analysis to identify the parties that will need to be informed as a priority.”

The resulting incident response plan should be adequately staffed and resourced, and needs to be kept updated to take account of new risks. It should also be regularly tested, ideally several times a year.

But the responsibility for handling a breach doesn’t end with the response team. It’s also important to make sure that staff throughout the organisation understand the importance of bolstering corporate reputation in the event of a security breach.

It’s crucial to enlist a crisis communications team that possess a sound understanding of the threats posed to the organisation

“It’s crucial to enlist a crisis communications team that possess a sound understanding of the threats posed to the organisation. However, in a crisis the onus is not just on the defined crisis communications team,” says Mr Butler.

“Senior management will need to be media trained in their responses to reduce damage to the business brand, keep staff feeling motivated and engender stakeholder confidence. They’ll be a vital conduit to creating market goodwill while the business establishes the nature and scope of the threat.”

When an organisation does get it right, the reputational fallout can be comparatively minor. Bupa, US home improvement firm Home Depot and Adobe have all been praised for handling breaches well.

In each case, the company informed customers and the authorities quickly, conducted full analyses to make sure that similar problems were unlikely to happen again and, importantly, kept people updated on both the ongoing risk to their data and the way the breach was being dealt with. As a result, customers felt reassured.

“Weathering a crisis will depend entirely on your organisation’s ability to arm itself and remain level headed when the time comes,” says Mr Butler.

“Businesses that deliver well-considered communications in the event of a cyberattack will demonstrate foresight and agility, repositioning themselves as a more resilient force.”