Compared to data breach costs, an ICO fine is simply a drop in the ocean

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2015/12/10/compared-to-data-breach-costs-an-ico-fine-is-simply-a-drop-in-the-ocean/

For companies today, the potential for a data breach has never been higher.
With the increasing sophistication of cyber threats, the growing use of the
cloud and the ignorance of some when handling sensitive data, the frequency
of data breaches is only going to escalate.

Indeed, during Home Secretary Theresa May’s speech to announce the new UK
Surveillance Bill, she referred to the positive impact technology has had
on all our lives but, at the same time, how it has created new threats.
While the bill itself may have received a lot of criticism, no one can
really disagree with her on that point. Despite all its benefits,
technology now forms the foundation of arguably all of the threats facing
us and our data.

More often than not, when an organisation suffers a data breach there is
one party that is impacted far more greatly than anyone else – the
consumer. As companies continue to collect more and more data about their
customers, any breach will likely result in personal information becoming
compromised. Moreover, this issue will only worsen as the impending EU Data
Protection Regulation changes will expand the definition of ‘personal data’
to include email addresses and any information which can be used to contact
the user. Currently, however, UK businesses are expected to comply with
laws such as the Data Protection Act, and fines of up to £500,000 can be
handed out for non-compliance by the Information Commissioner’s Office
(ICO).

You’d think that the potential for a fine of half a million pounds would
provide enough incentive for businesses to put in place the relevant data
protection measures to remain compliant, however, that’s not always the
case. What should get businesses in a cold sweat then is the other ongoing
data breach repercussions which, when tallied up, will make the ICO fine
seem like a drop in the ocean.

Firstly, any data breach will have a pretty significant impact on a
company’s reputation. A fall in consumer trust results in a loss of
customers and, therefore, a drop in sales. If the company is listed,
there’s the decrease in share value to contend with too. Take TalkTalk for
instance, following its data breach its stock price fell by 10 per cent.
Falling share prices often means unhappy shareholders and that can result
in the CEO being forced out, just ask Gregg Steinhafel (the former CEO of
Target). TalkTalk will also find it a challenge to attract new business in
the future too, consumers aren’t going to simply forget about the breach
and will instead spend their money with competitors which have cleaner
histories.

Next up there’s the costs of putting things right. Following a data breach,
all impacted parties including existing customers, potential new customers
and even the workforce need to be won over. This can involve a number of
things depending on the type of breach. For example, if a breach
compromises bank details, the offending company may have to offer free
credit monitoring services to those affected so they’re made aware of
fraudulent activity that may take place as a result. If a breach impacts a
large number of consumers, the organisation will need to dedicate resources
to deal with the onslaught of angry customers who will inevitably call to
vent their frustrations and perhaps want to leave. Indeed, while it may
seem easier to shy aware from such phone calls, not communicating with the
impacted parties will simply exacerbate the situation. The morale of the
workforce is also important to consider. Even if they haven’t been impacted
directly, no one wants to work for a company that is on the receiving end
of negative press.

Finally, there’s the incredibly damaging potential for ongoing lawsuits
from victims. When an individual has their data compromised, they can
become vulnerable to targeted extortion attacks and argue that they should
be compensated for the breach in trust. Just recently Sony paid out $8
million to employees impacted by its 2014 breach and more than 2,000
current and former employees of Morrisons are suing the supermarket after
their details were compromised online. What’s really worrying for
businesses, however, is that during the well-publicised Google vs.
Vidal-Hall case, the UK Supreme Court ruled that claimants don’t even have
to prove monetary loss and can simply claim for distress caused.

It’s undoubtable that a data breach can have catastrophic consequences for
any company. The effects can last years and firms will have to invest a lot
of time and resources in order to rebuild public trust. Then, just to
re-open old wounds, there’s the ICO fine to deal with. The public sector
body publishes press releases alongside its fines to ensure everyone is
aware of the action which has been taken and who against, meaning consumers
will once again be reminded of any breach.

Ultimately, if the never-ending list of expensive data breach repercussions
isn’t enough get businesses to remain compliant with data regulations, what
hope does the consumer have?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!