The Costs and Consequences of Data Breaches on Customer, Employee, and Stakeholder Relationships
Data breaches, hacks, and leaks have become so ridiculously common that sometimes you can't help but wonder, "Should customers just expect to have their data stolen as part of their experience with a company?"
If you’ve replaced your credit card over the past few years due to a breach or two or three, then it is possible you have wondered the same thing.
No industry has been immune to data breaches. Tens of millions of customers have had their personal bank account numbers, credit card numbers, social security numbers, e-mail addresses, passwords, and home addresses and phone numbers stolen, exposed, held for ransom, or offered for sale on the dark web.
A long list of breaches
Well-known brands like Equifax, Target, Panera, Delta Airlines, Verizon, Deloitte, Yahoo, Saks, Jason’s Deli, Orbitz, and the U.S. Office of Personnel Management (OPM) have all been targeted and have paid the consequences.
Some are still paying. So are the customers who were impacted by the breaches.
But what, exactly, are the consequences of a breach?
Data is an asset when it is managed properly. But when it is mishandled, disaster looms.
Like many things, the cost of a breach “depends.”
The costs of a data breach depend on many things. But nobody ever gets a free pass.
“For consumers, the consequences of a breach depend on where they are in their lives,” explained Kristin Dohn of the Consumer Financial Protection Bureau (CFPB) in Washington, DC. The CFPB is a U.S. federal government agency that enforces federal financial laws and protects consumers in the financial marketplace.
Kristin launched a response team to handle customer concerns after the Equifax breach in 2017. This was one of the biggest breaches of modern times that exposed more than 145 million customers to fraud.
Because of that breach, consumer identity theft was and still is a real concern.
“Let’s say you’re at a point in your life where you’re about to buy a house. A breach that leads to your identity being stolen can have a definite negative impact on your ability to buy that house,” Kristin said.
Multidimensional costs for businesses
For companies and government organizations, the financial costs of managing a data breach are nothing short of astronomical. Estimates across the industry put the cost into the millions of dollars to tens of millions of dollars, depending on the size and scope of a breach.
Here is a shortlist of things you’re likely going to have to pay for.
Hiring crisis communicators
Hiring forensic information security experts
Delivering notices to customers
Credit monitoring services for customers impacted by the breach
Loan fees to cover what wasn’t covered by cybersecurity insurance
Outside of financial costs, there are reputation expenses, the time costs associated with complying with regulators after a breach, and potential harm to shareholders.
“For consumers, it’s a matter of how much are you comfortable continuing to put out there? How protected are you? How protected do you want to be?” -Kristin Dohn, CFPB
How customers can protect themselves
While it may seem like there’s no avoiding a breach, consumers can take precautions to minimize difficulties in the event their data is stolen. Consumers can stay on top of their credit and bank account statements, Kristin advised. If you spot problems, address them right away.
Terms and conditions sheets aren’t exactly beachside vacation reading, but you need to know where your data is going when you give it up to websites and online retailers, she said. You find out by reading.
“It’s a digital world. There is a lot out there to hack into,” Kristin said. “For consumers, it’s a matter of how much are you comfortable continuing to put out there? How protected are you? How protected do you want to be?”
Building a data breach response plan
Businesses and government agencies need meticulous, well-thought-out data breach response plans. High-level starting planning questions are:
How will you act swiftly in the event of a breach?
How will you interact with your customers in an appropriate way?
How will you help to protect customers?
How will you stay in tune with consumer perceptions of a breach?
“Being proactive about security and incident response is extremely helpful,” said Jeff Schultz, a data security, privacy, non-compete, and trade secrets lawyer at Armstrong Teasdale in St. Louis, MO.
“Companies that are more mature in their planning have an easier time responding to a breach.”
Jeff’s advice is to periodically review your company’s data breach policies and plans. Create a schedule for reviewing and documenting changes.
“Even if you can’t take weeks to sit down with a team and revise your plans, at least take it off the shelf, dust it off, and spend a couple of hours with it so that it comes back to the front of your mind.”
Is it true nobody really cares about data breaches anymore?
Sometimes it may seem like nobody cares about data breaches. The media tend to report them quickly and then move on just as quickly.
“But breaches come down to the effect on an individual person,” Kristin said. “Some people are more impacted than others. Low-income people and people with limited English proficiency can be at a big disadvantage in a breach.”
Jeff agreed. “You might get a notice in the mail of a breach and dismiss it right away, toss the notice right in the recycle bin. But there are others who will be concerned because they haven’t been caught up in a breach before.”
The impact lasts inside of companies, as well.
“It can seem from the outside like nobody cares,” Jeff said. “However, the employees inside the company are still working to take care of customers. There’s an ongoing cost to what employees are doing: labor, time, and distractions. They do worry about their customers.”