Radio personality Don Imus' recent breach of taste has a lot in common with data security breaches. The loss of reputation and costs incurred following Imus word-spew illustrate how important it is to understand exactly what happened, who is affected, and how to respond properly to victims of a breach.
With that in mind, consider these 10 important lessons to be learned from the Imus experience:
1. It takes only one breach to make people unhappy and get you fired -- or, in the case of a company, lose lots of good customers. Some 20 percent of data-breach victims cut ties with institutions that compromised their privacy, according to one study we recently conducted.
2. Never underestimate the cost of a breach. Not only did Imus lose his job, but the lost sponsors and reparations to the victims could cost millions. According to Ponemon Institute's 2007 Cost of a Data Breach study, breaches can cost companies millions of dollars per incident in direct costs, such as victim notification. The significant costs involved should inspire you to have controls in place to prevent leaks. On average, the cost of a data breach is $182 per compromised record, a 31 percent increase over 2005. Total costs for each company in the study ranged from less than $1 million to more than $22 million.
3. Reputations suffer and trustworthiness declines following a breach. In the days following his remarks, Imus struggled to regain his reputation and popularity to no avail. The same holds true for many organizations that suffer a breach.
We conduct an annual study to determine which companies in a variety of industries are most trusted by consumers. In our 2007 Most Trusted Companies study we decided to track the impact a data breach can have on a company's perceived trustworthiness. There were 12 companies in our study that had data breaches that required them by law to notify consumers and employees that sensitive information was lost or stolen in the period following the 2006 study. In 2006, these 12 companies had aggregate trust scores that were 1 percent above the average score. Following the breach, their 2007 scores were 23 percent below the aggregate most trusted list average.
4. Communication should be in proportion to the incident. Over-apologizing or unnecessary notification will cause confusion as to the seriousness of the breach, and diminish the integrity of the organization. In the case of a data breach, organizations should make sure they understand who the victims are and what personally identifiable information is risk. Notifying individuals who are not at risk will cause unnecessary worry and can cause more harm to the organization's reputation.
5. Public scrutiny -- not to mention laws and regulations -- should make you sensitive to how you respond. Lawsuits for negligent handling of personal information are becoming more common. Many states have passed laws requiring companies to inform their customers if their personal information has been stolen or possibly compromised. And some states have passed laws allowing individuals to sue organizations that fail to safeguard their private data. Federal statutes and regulations also permit government agencies to sue organizations over data breaches and other failures.
6. A loyal customer or audience does not necessarily protect your reputation when a breach occurs. Imus was fired while raising money for children's charities. Similarly, if you think you have established goodwill and loyalty with your customers through your privacy policies and commitments to safeguard sensitive information, think again. According to our research, companies that report a data breach are more than four times as likely to experience customer churn if they fail to communicate to the victim in a clear, consistent, and timely fashion.
7. The media can either help reduce the impact of a breach, or create the perception that a breach is worse than it really is. For days following his remarks, Imus was the top story in both print and broadcast media. In the event of a breach, it is important to conduct an investigation as quickly as possible to understand who has been affected and how breach victims may be at risk. As soon as the investigation is completed, victims should be notified and provided assistance to protect their assets. By completing these steps, the organization will be able to have a more positive and substantive response to media inquiries.
8. Have a plan that includes as many possible contingencies as you can imagine. Nothing is worse than being unprepared to take appropriate action to reduce the damage to victims and prevent the breach from becoming worse. Then make sure everyone involved understands the plan before it is needed and follows the plan in the event of a breach.
9. Executive commitment is important. As attention to his remarks escalated, Imus lost the support of management and his colleagues. In an organization, leadership should make it clear they support efforts to investigate and remediate the breach. This will help ensure that those within an organization work as a team to address the problems as quickly and efficiently as possible.
10. Be sensitive to your operating environment and have controls in place to reduce the likelihood of a breach. Even though he was a shock jock and appreciated for his humor, Imus was vulnerable because of his visibility in the media. Organizations that have high profiles, especially in highly regulated industries, need to take steps to know the types of information they are collecting, storing, and using, and what the risks would be if the data were lost or stolen.
As with Imus, a data breach involves a wide range of cost factors, including legal, investigative, and administrative expenses, stock performance, customer defections, opportunity loss, and reputation management. If there's a single lesson here, it's be prepared, both to avoid a breach in the first place, and to respond appropriately if one should occur.