Data Protection Committee Update: The Effect of a Data Breach on Brand Value
Published: March 1, 2020
James Bikoff Smith, Gambrell & Russell, LLP Washington, D.C., USA
Nicole DelleDonne Brandsight, Inc. Saratoga Springs, New York, USA
Susan Natland Knobbe, Martens, Olson & Bear, LLP Irvine, California, USA Data Protection Committee
Almost every week a brand owner discloses that a data breach has occurred. As brand professionals and ambassadors of the brands of our clients and organizations, we know that the effect of a data breach goes far beyond the concrete costs and resources in dealing with a breach.
Studies have shown-and common sense supports-that a data breach can cause substantial damage to brand value due to harm to the goodwill in a brand and loss of consumer trust. Thus, a data breach is not just a data privacy concern; it is a concern of all stakeholders and especially those who protect the goodwill of brands.
Data breaches impact global brands and small and medium-sized enterprises alike. They draw media attention which results in unwanted public exposure, especially in cases in which personal customer data is disclosed. Additionally, data breaches can diminish the value of a company, impact stock performance, and result in a lower purchase price for an acquisition.
During the course of the 2018‒2019 Committee Term, the Data Protection Committee studied the effects of data breaches on brand value in order to provide educational materials to INTA members that describe the potential harmful effects of insufficient data protection safeguards and standards in their organizations and with their clients.
This article summarizes the research conducted by IBM and the Ponemon Institute in their 2018 and 2019 studies on the cost of data breaches-in particular, the factors that both increase and mitigate damage after a data breach. This infographic (reprinted with permission) contains the most important cybersecurity cost and risk highlights.
The full reports can be found here:
Data Breach Cost by the Numbers
- The average cost of a data breach in the United States increased 130 percent over the last 14 years;
- The average cost of a stolen record increased by 6 percent between 2017 and 2019;
- The average size of a breach increased by 6.2 percent between 2017 and 2019;
- The average U.S. data breach cost in 2019 was $8.19 million, followed by the Middle East at $5.97 million;
- In 2019, South Africa was reported to have the highest probability of a data breach (43 percent);
- In 2019, Germany was reported to have the lowest probability of a data breach (14.3 percent);
- Financial services, services, and industrial manufacturing industries experienced the highest frequency of data breaches in 2019;
- The health ($429) and financial sectors ($210) had the highest per capita data breach costs in 2019;
- 51 percent of data breaches were caused by malicious or criminal attacks in 2019; and
- In 2019, the per-record cost of a malicious attack was 25 percent higher than breaches caused by human error or system glitches.
Mitigating the Cost of a Data Breach: Key Takeaways
The likelihood of experiencing a data breach has steadily increased over the last five years, from 22.6 percent in 2014 to 29.9 percent in 2019, representing a 31 percent growth rate. The 2019 study indicates that the average total cost of a data breach is US $3.54 million and that the average cost per lost or stolen record is US $150. This represents a considerable increase as compared to previous report averages.
As the 2019 study shows, the consequences of a data breach linger long after the incident. The first year after the incident accounts for only 67 percent of the total cost: 22 percent of costs were incurred in the second year, while 11 percent of the costs occurred more than two years after the data breach.
While it is obviously best to avoid a data breach altogether, if (and likely when) one occurs, there are concrete steps a company can take to preserve customer trust and mitigate the loss of brand value. These include the following:
- Instituting programs that preserve customer trust and loyalty in advance of the breach, which will help to reduce the loss of customers;
- Hiring a Chief Privacy Officer, Data Privacy Officer, or Chief Information Security Officer who is responsible for managing customer trust initiatives, which will reduce customer loss after a data breach; and
- Offering post-breach identity protection to reduce customer loss, which will in turn reduce the cost of a breach.
The studies also showed a significant correlation between the speed of response to a data breach and the cost to a company, as follows:
- The breach lifecycle—the time between when a data breach incident occurs and when it is ultimately contained—was 279 days in 2019. On average, a data breach existed for 206 days before it was identified, and it took another 73 days to contain the breach.
- The faster a data breach can be contained, the lower the cost: breaches with a lifecycle of fewer than 200 days cost on average $1.22 million less than breaches with a longer lifecycle. However, a rush to notify customers without fully understanding the situation increases the cost of a breach.
- The existence of an incident response team was shown to reduce the cost of a data breach by as much as $14 per compromised record, as compared to the average total cost per record of $148.
- The extensive use of encryption within an organization can lead to decreased costs.
- Finally, companies should be validating not only their own security but that of their third-party partners while also proactively designating and training internal resources as part of an incident response team.
Further, effective management of detection and escalation can significantly affect the cost of a data breach:
- Pre-breach business continuity management reduces the cost of a data breach. Companies should be taking steps to proactively identify disaster recovery, business recovery, and crisis management plans. The existence of defined resources and plans can lead to faster containment and lower costs.
- The often-necessary engagement of consultants to assist with post-breach remediation was shown to increase the cost of a breach.
- The existence of insurance protection was shown to decrease the cost incurred from a data breach. Today, there are several companies offering cyber insurance. In 2018, three million cyber-insurance policies were in force.
Practical Advice for Brand Professionals
Brand professionals can work to actively mitigate the likelihood and cost of a data breach. Potential measures include the following:
- Appointing a trademark practitioner to the organization’s data breach response team for planning;
- Engaging the team in training on privacy best practices so it understands the underlying principles and technology;
- Encouraging the team to keep the management and Board of Directors informed of its activities;
- Educating other team members and management about the negative impact data breaches can have on brand value and goodwill;
- Ensuring that the trademark team is engaged in public response, through review of its escalation management materials; and
- Notifying customers whose data was compromised as early as possible after the breach to minimize reputational losses.
As the prevalence of data breaches continues to increase, companies should be aware of the costs and risks that they pose. Although avoiding data breaches altogether is almost impossible, companies can preserve consumer trust and mitigate the loss of brand value by proactively investing their resources in information technology and security systems, data privacy programs, and detection and escalation management. In drafting and executing these measures, brand professionals can play a central role in mitigating the damage caused by data breaches and in preserving brand value.
Although every effort has been made to verify the accuracy of items in the INTA Bulletin, readers are urged to check independently on matters of specific concern or interest.
© 2020 International Trademark Association