" The big thing right now if you look at any data breach is the PR downside, the impact in terms of reputational damage, customer churn and ultimately lost revenues. Our customers tend to be at the forefront when it comes to breach response, but eighty per cent of the businesses we talk to are most concerned about protecting customer relationships following a breach, with very good reason. "

Whether or not UK organisations fully appreciate the risk that they will be affected by a data breach, it is clear that the majority do understand the likely impact if the worst should happen.

According to the research, they are well aware of the regulatory impact of a data breach, the cost of recovery and, perhaps most importantly, the potentially devastating effects on trust and customer loyalty. According to the research:

  • 80% of UK organisations are concerned at the prospect of legal or regulatory action following a data breach;
  • 84% are concerned that customers will trust the organisation less;
  • 81% are concerned about the financial impact of recovering from a breach;
  • 79% are concerned that customers will stop using the company.

" Businesses suffering breaches have maybe had a bit of an easy ride from consumers until now, but that is changing. Increasingly, I think the effectiveness of the response is what an organisation will be judged on. If they are found wanting, that is where the reputation will suffer, not just because the breach happened in the first place. "

Claire Snowdon, Director, Regester Larkin

These fears are well founded. The potential regulatory impacts – from fines and reparations to the costs associated with remedial action – are well known, but changing consumer attitudes could drive more far-reaching and persistent damage.

The research found that the UK public is very conscious of the risks posed by data breaches. People are, in general, concerned about them, and agree that their perception of a business would change if it was affected by a data breach that compromised their personal information. What's more, it seems that being affected by a data breach could be likely to convert a significant number of customers into 'brand detractors', who would amplify negative reputational effects by advising friends and family against the organisation.

According to the research:

  • 64% of British adults are concerned about falling victim to a data breach in the future;
  • 80% say their level of trust would decrease if a company lost their personal data;
  • 63% of British adults say they are likely to leave an organisation if a data breach occurred;
  • 67% would advise friends and family against the organisation.

Overall it seems that customer perceptions of data breach are on the move. Consumers are less understanding, and less willing to see organisations affected by data breaches as 'victims'. Rather, they increasingly believe that data breaches come as a result of the organisations' own failures – failures in procedures, security and data controls.

The research findings clearly bear this out:

  • 90% of British adults think companies should educate their employees on data security;
  • 88% think companies should have measures in place to prevent a data breach;
  • 84% think companies should be penalised for compromising their customers' personal information;
  • 83% think companies should be subject to increased regulation to better protect customers.

While consumers have clear attitudes as to accountability for the protection of personal information, this is further underpinned by a widespread apathy towards protecting their own information online, even in the event of being notified of a breach – making the potential end results of becoming victim of a data breach even farther-reaching.

  • 54% of those affected didn't change the password on the affected online account when notified of a breach;

  • Just 35% changed the password on other online accounts;

  • 83% made no change to their online behaviour at all after being notified of a data breach.

" We have already reached a situation where the cost of lost business following a breach accounts for almost half of the overall financial impact. This financial 'halo effect' has grown rapidly over recent years and will continue to do so. This is an issue that businesses simply cannot afford to ignore. "

Jim Steven, Head of Data Breach Services, Experian

This increased public awareness of data breach, the likely heightened effect on reputation and customer loyalty, as well as the multiplying effect of 'adverse advocacy' adds a new dimension to the financial impact of a data breach – creating a 'halo effect' of financial and reputational implications.

That is, organisations affected by data breach who have not adequately prepared will increasingly suffer costs associated with lost business as well as the direct cost of fines and data breach response activities. Indeed, according to the Ponemon Institute's Cost of Data Breach 2014, this indirect cost of lost business now accounts for around 43% of the total cost of a data breach. The Ponemon report concluded that:

On average lost business costs associated with "...abnormal turnover of customers (a higher than average loss of customers for the industry or organisation), increased customer acquisition activities, reputation losses and diminished goodwill" stood at £950,000;

The total average cost of a data breach, including costs like breach detection, escalation and response costs was £2.21 million.

This 'halo effect', then, almost doubles the total financial impact of the average UK data breach – what's more, the costs associated with consumer action and reputational damage have risen rapidly over recent years. According to Ponemon Institute figures, lost business costs have increased by 22% since 2011 .

The Business Response: Ready for Anything?

The research tells a two-part story about UK business' readiness to respond to data breaches. In essence, it is a story of misplaced confidence, and response plans built up by a costly process of trial and error.

On the surface, businesses are broadly confident. When questioned, they suggest they are well prepared to respond to a data breach:

  • 79% believe their organisation is prepared to respond to the theft or loss of sensitive and confidential information that requires notification to victims and regulators;
  • 81% believe the organisation understands what needs to be done following a data breach to prevent the loss of customers' and business partners' trust and confidence;
  • 76% say the organisation understands what needs to be done following a material data breach to manage negative media or public sentiment.

Look below the surface at real plans and readiness, however, and the picture is far less positive. The reality is that preparedness is patchy at best and all important customer engagement is almost an afterthought:

  • 34% do not have data breach response plans in place, and even of those who do, those plans are less than comprehensive – a quarter do not include specialist crisis communications (23%) or legal (27%) support, and almost two thirds (63%) do not include digital forensics;
  • Only one third (33%) have specific budgets set aside to deal with data breaches;
  • Less than two-thirds (61%) have reporting procedures in place for lost data or devices (e.g. company laptops or phones);
  • Less than half (43%) have data breach or cyber insurance policies in place;
  • Just 47% would notify customers 'as quickly as possible' following a data breach;
  • Less than a quarter (21%) would offer an identify protection service to existing customers, and only 10% would offer a credit monitoring service.

The fact that data breach response planning and readiness is so patchy perhaps explains why so many UK organisations affected by breaches go on to be affected again, at least once, within two years; 57% according to the research.

" In terms of readiness to respond to a data breach effectively, I think the average UK business scores about 5.5 out of 10. They know it's an issue but those who have not yet suffered a breach really do not understand what a massive problem it can be. There is still a lot to learn. "

Margaret Tofalides, Partner and Head of UK & EU Data and Cyber Security Practice, Clyde & Co LLP

Trial and Error

" We've seen companies go into a breach situation without an effective response plan in place. They are essentially learning in live situations, and pretty quickly come to appreciate the full implications of a breach and the complexities involved in a breach response. You can be sure they had plans in place the next time around. "

Michael Bruemmer, VP, Consumer Protection at Experian Consumer Services, US

It's evident that UK organisations are underestimating the complexities in planning for and delivering an effective and well-rounded data breach response, until it is too late. This is borne out by the research findings, which clearly demonstrate improved planning and readiness amongst organisations that have already been affected by a breach. In essence, it suggests that UK businesses' data breach response planning is an iterative process of trial and error:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.