The majority of CEO’s place a high value on maintaining their organizations’ reputation and brand. Below are some ways that these critical business assets may be affected by a data breach:

  1. Direct financial loss

    1. While news of a high profile personal information breach tends to have an immediate negative effect on share price (for instance, the recent breach of US based Target stores saw the CEO resign and the share price fall by 10%), share prices do seem to recover fairly quickly. 2
  2. Indirect financial loss

    1. “While consumers are rightfully worried that their personal information may be compromised, shareholders and companies’ management have a wider set of concerns, including loss of intellectual property, operational disruption, decreased customer trust, tarnished brand, and loss of investor commitment.” 2
    2. A breach almost necessarily implies abnormal legal, technical investigation and PR costs.
    3. “Target, for example, pledged to spend $100 million upgrading its security. The company lost a total of about $236 million in breach-related costs, $90 million of which were offset by insurance.” 2
  3. Loss of business

    1. “The study calculates totals by aggregating costs of investigation, notification, legal fees, consumer redress (and services such as credit monitoring or reimbursement of credit cards) and customer churn. In fact, the study claims that the majority (69%) of total costs in 2008 was due to lost business” 1
    2. In studies conducted between 2005 and 2011, abnormal customer turnover (churn) rates after a data breach increased on average by 3.2% (going as high as 8.7%). 1
    3. Customer turnover does depend on the nature of the business and the importance that customers place on the trust relationship. For instance, the Ashley Madison breach will most likely result in that company’s closure.
  4. Civil liability

    1. Section 99 of POPI makes it possible for data subjects (for example, your customers) to claim damages from you suffered as a result of contravention of the Act.
    2. However, in an analysis of US data breach litigation between 2005 and 2010, it was found that “only about 4% of reported breaches resulted in federal litigation” 1
    3. Other interesting findings were that the “odds of a firm being sued… was 3.5 times greater when individuals suffered financial harm, but over 6 times lower when they were provided free credit monitoring”. Offering free credit monitoring to people affected by the breach appears to allay their fear of identity theft to some extent.
  5. Regulatory action

    1. Section 107 of the Protection of Personal Information Act 4 of 2013 (POPI) provides for penalties up to R1m and 12 month imprisonment, and R10m and up to 10 years imprisonment for more serious offences.

Compliance with POPI should greatly reduce the risk of experiencing a breach in the first place and also limit the magnitude of the fallout should it occur. It is also worth noting that the impact of a second or third public breach may well be cumulative in nature.

  1. Romanosky, S., Hoffman, D., and Acquisti, A. Empirical Analysis of Data Breach Litigation. Forthcoming in the Journal of Empirical Legal Studies.
  2. Harvard business review, Why Data Breaches Don’t Hurt Stock Prices
  3. PONEMON INSTITUTE, 2008 ANNUAL STUDY: COST OF A DATA BREACH 11 (2009)