New survey by the Ponemon Institute finds that data breaches can cause lasting and costly damage to the reputation of affected organizations
Findings quantify cost and time investment needed to recover from a data breach
Irvine, Calif., Oct. 27, 2011 — Reports of data breaches affecting some of today’s largest companies continue to grab the headlines of prominent news outlets nationwide. The damage experienced by a company after a data breach has lasting negative effects on brand equity and reputation. In fact, a recent survey* of nearly 850 executives, conducted by the Ponemon Institute and sponsored by Experian Data Breach Resolution, reports that the average time it takes to restore an organization’s reputation is one year.
In addition to the time and energy it takes to rectify the situation, a data breach has the potential to severely affect a corporation’s brand equity over the long term. Depending upon the type of information lost as a result of the breach, the average loss in the value of the brand ranged from $184 million to more than $330 million, with an average brand value prior to the breach of $1.5 billion. Hence, the minimum brand damage was a 12 percent loss, increasing to nearly a one-quarter loss of the brand value in some instances.
“A solid reputation is a company’s greatest asset, and it is therefore imperative that business leaders take precautionary steps to protect themselves, their customers, their employees and their intellectual property against data breaches,” said Ozzie Fonseca, director at Experian Data Breach Resolution. “The way business protocols worked five years ago, even two years ago, has drastically changed, and we must prepare ourselves for the new threats to data and privacy. Data breaches are happening to all businesses — small, medium and large — and no industry is immune.”
All companies are susceptible to breaches of data, yet many are not prepared or equipped to handle the aftermath. Research findings showed that 43 percent of the companies represented in the survey had not instituted a data breach incident response plan prior to having such a breach. Companies spend a great amount of time putting crisis plans together — who’s going to call whom, who can speak to the media, etc. However, they are not including data breaches as part of this plan. In addition, most companies surveyed reported that they had experienced more than one data breach in the past few years.
"The loss or theft of sensitive customer data, as our study quantifies, can have a serious impact on the economic value of a company's reputation,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “We believe this study makes a powerful point about the importance of taking steps to reduce the likelihood of a data breach."
To help companies protect their reputation and keep customer and proprietary data safe, Experian Data Breach Resolution offers the following tips:
Create an incident plan so your organization is prepared to readily respond to a breach should it happen. Outline exactly what steps you’ll take if or when a breach occurs. Build your company’s response team in advance, including members with expertise in legal, public relations, compliance and risk management. Communication to consumers and government officials should be done simultaneously, so make sure to dedicate adequate resources in your company plan. Conduct data breach simulations and hold regular security training sessions with employees to review the company’s policies about data protection.
Be proactive instead of reactive. Start with prevention and assume that at some point you will experience a breach — and not one that you’re likely to discover until the damage has been done.
Here’s what can be done now to help secure and protect the information your company is responsible for:
• Segment sensitive data and restrict access
• Wipe physical media and shred paper documents
• Demagnetize external media and overwrite hard-drive data
If you don’t have the internal resources or know-how to cover the likely aspects of fallout from a potential breach, call in a third-party specialist to partner with your company through the breach resolution process. Having an expert on hand can help expedite the resolution, limit legal liabilities and increase customer satisfaction. Being prepared before a security breach occurs can mean a big difference to both your company’s bottom line and its reputation.
For more information, visit http://www.experian.com/databreach.
* Survey conducted in October 2011 by the Ponemon Institute
1 323 202 1075
Experian Data Breach Resolution
1 949 202 7296
About Experian Data Breach Resolution
Experian® is a leader in the data breach resolution industry and one of the first companies to develop solutions that address this critical issue. As an innovator in the field, Experian has a long-standing history of providing swift and effective data breach resolution for thousands of organizations, having serviced millions of affected consumers. For more information on how Experian Data Breach Resolution services enable organizations to plan for and successfully respond to data breaches, visit http://www.experian.com/databreach.
Experian is the leading global information services company, providing data and analytical tools to clients in more than 80 countries. The company helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps individuals to check their credit report and credit score, and protect against identity theft.
Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended 31 March 2011 was US $4.2 billion. Experian employs approximately 15,000 people in 41 countries and has its corporate headquarters in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and São Paulo, Brazil.
For more information, visit http://www.experianplc.com.
Experian and the Experian marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein are the property of their respective owners.
# # #