Can You Afford A Data Breach?

29 Oct
2014

Can You Afford A Data Breach?

Companies, and the industry overall, want to associate a dollar amount to a data breach.  It’s a benchmark on how bad the data breach was in terms that all organizations can understand, the almighty dollar.  The Ponemon Institute, an independent breach research organization, calculates the cost of a data breach amount to be between $120-$250 per breached record. Considering how many records businesses keep in their internal environment, a data breach can be devastating. Do the math for your own organization.  For example, Company X has 1,000,000 records.  Multiply that by the low end figure of $120/record breach, and you end up with around $120,000,000 in breach exposure.  Accurate or not for your particular organization, the figures are certainly not in your favor. Can you afford a data breach? Can your repuation recover?

Interestingly, organizations also try to associate a cash value to a lost customer due to data breach. How do you predict losing a serious of customers after you are breached? You can’t! While some organizations will apply predictive analytics to understand their breach exposure, they will never know what the total cost of a data breach and what that cost will mean as far as a data breach is concerned.  There are too many variables.  Take another example, what’s the cost of one victim/customer suing a breached organization versus a class-action lawsuit by multiple victims/customers.  The variance is too broad to estimate accurately.

Ultimately, you take every step forward to address the situation and be honest about what happened. PR teams, forensic experts, attorneys – lots and lots of attorneys – will be seeking hefty retainers to guide you through the recovery process. With all of the money that you will spend on a breach, you still may not be able to recover your customer base, but there are some solutions to avoid being the next data breach.

How Long Will it Take To Win Your Customers Back?

A current survey by The Ponemon Institute and Experian said that 54% of companies believe the reputation recovery period to be any where from 10 months to 2 years. That period of time could severely hamstring your cash on hand, planting you squarely in the hands of new hungry debtors. This reputation rebuild starts the moment of time you find out you are breached. Studies show that stockholders and customers will forget about your breach, but how long can you sustain overhead with shrinking profits for up to 2 years? Target profits dropped 46% in the first quarter after their breach.

Be Honest With Your Customers

Legal expert Aravind Swaminathan, who is a Partner in Privacy & Security and Litigation Practice Groups at global law firm DLA Piper, recommends that, once the discovery and information gathering phase is completed, companies should go public with a single announcement rather than a series of “piecemeal” announcements. I agree that a singular announcement, but the focus of the announcement should be full transparency. The more information you leave out in the announcement, the larger the scale of customer abandonment if any indicting information is shared/leaked in the future. This will also help your future data security strategy. Knowing and identifying where you fell down is paramount to establishing a new data security strategy.

1/3 of Your Customers Will Leave You

No Dear John letter bemoaning your lax data security policies. No phone call to let you know it’s them and not you.  Breakups are ugly and consumers hang on to bad experiences longer than you think. Bob Wice, the U.S. Focus Group Leader for Technology, Media, and Business Services at specialist insurer Beazley, cited a recent study by the Economist Intelligence Unit that found more than a third of customers at companies which suffered a data breach no longer did business with the companies in question “because of the breach.” That is insult to injury that no company wants to hear.

What Happens If I get Breached More Than Once?

Start discussing severance packages and call your favorite recruiter. Seriously! If your problems are systemic, then it is time for an entirely new approach. Hire a really good PR firm to spin your story and look for a new leader to manage your data security. Distance between the culprit and the victim, whether deserved or not, seems to be the first step to recovery. If you are the culpable one, you won’t know until it happens. Data security always seems to be one step behind the breaches. JP Morgan/Chase learned this the hard way and so have throngs of other companies. There ARE security solutions that currently exist that will not expose all of your sensitive payment card data, social security numbers, Personally Identifiable Information (PII), etc. It is tokenization of that data, plain and simple. When you tokenize sensitive data, even if it is breached there is absolutely no data that the cyber thief can extrapolate. A token is a meaningless value.

All of the Cool Kids Are Tokenizing…

Visa, MasterCard, Amex, MCX, Discover, and ApplePay are all tokenizing payment card data. That is quite the invite list for a payment card soiree and more and more companies are looking to tokenization for another layer of their data security. MCX (Merchant Customer Exchange) has rejected ApplePay at all of their locations, despite the fact that 1 million credit cards were activated on the first day of availability. MCX has their own payment solution focused on cutting out the payment processor and going straight to the bank. Competition is a good thing and both solutions are pushing the boundaries of securing your data environment. More tokenization solutions present themselves every day. You want to make sure that you can tokenize all of your data and if you ever leave your tokenization provider, that your sensitive data will go with you.

Tokenization Will Reduce PCI Compliance When Done Correctly

True cloud tokenization, tokenizes each piece of sensitive data and holds it in a secure cloud environment. You still maintain unlimited flexibility in how you access, store, and secure your data, while remaining processor agnostic. By ridding your environment of the toxic data, you immediately reduce your PCI compliance.  Some of the aforementioned companies are offering the tokenization service for $.52/token, while we are at pennies on the dollar. We remove the toxic data from your environment altogether. At TokenEx, we integrate with all processors and gateways, but more specifically, we integrate to your environment and your data will always be yours. Find out how most of our customers pay for our tokenization service with the reduction in PCI compliance and other auditing related costs. Follow us on Twitter and LinkedIn.