The UK Data Breach Landscape
" It doesn't matter whether you are big or small. If you have an IP address and are connected to the internet, you are fair game as far as hackers and cyber-criminals are concerned. "
Nick Prescott, Information Security Manager, Blackthorn Technologies
Dubbed 'The Year of the Data Breach', 2014 saw a steady stream of serious, in some cases record breaking, data breaches hit the headlines. Some of the world's major household names were hit by cyber-attacks but, although many of those breaches will undoubtedly have affected UK customers, none of the top breaches in terms of the volume of exposed records involved UK-specific organisations.
So, was 2014 'The Year of the Data Breach' in the UK and, more importantly, how has the seemingly endless procession of data breach cases during the last 12 months changed both business and public perceptions?
2014: The Year of the UK Data Breach?
There is ample evidence to suggest that the UK market did indeed follow the upward global trend.
Research commissioned by Experian and carried out by Comres, found that almost one fifth of UK organisations (17%) suffered at least one breach in the last two years.
Meanwhile, over the course of the year, the Information Commissioner's Office (ICO) issued warnings to a number of sectors, including the legal and healthcare professions, pointing out that data breach incidence was steeply on the rise. In its annual report for 2013/14, the ICO also revealed that it had "...been processing record numbers of complaints, answering more questions on our help line, and concluding more enforcement actions than ever before."
Finally, a Freedom of Information Request from Egress Software also revealed a surge in the number of reported data breaches in the UK – comparing reported breaches between April and June 2013, and the same period in 2014. The figures obtained from the ICO – which also suggested a "worrying increase in data breaches as a result of human error" - showed that data breach events were on the rise across the board; for example:
It is fair to say, then, that 2014 may indeed have been the year of the data breach in the UK – but, at the same time, the steep rise in breach events did not perhaps garner the kind of media coverage that can help to increase organisations' awareness and encourage them to take the risks seriously.
In fact, most breaches that become public knowledge in the UK affect big, US-based global brands and take place in jurisdictions like the US, where mandatory notification practically guarantees media coverage. The converse is true in the UK. We have seen an upsurge in the rate of UK businesses affected by data breach but media coverage of UK-specific breaches has been minimal - arguably because notification is, for the most part, not mandatory.
The Customer Impact: A Financial Halo Effect
" The big thing right now if you look at any data breach is the PR downside, the impact in terms of reputational damage, customer churn and ultimately lost revenues. Our customers tend to be at the forefront when it comes to breach response, but eighty per cent of the businesses we talk to are most concerned about protecting customer relationships following a breach, with very good reason. "
Paul Bantick, UK TMB Focus Group Leader & Underwriter, Beazley plc
Whether or not UK organisations fully appreciate the risk that they will be affected by a data breach, it is clear that the majority do understand the likely impact if the worst should happen.
According to the research, they are well aware of the regulatory impact of a data breach, the cost of recovery and, perhaps most importantly, the potentially devastating effects on trust and customer loyalty. According to the research:
80% of UK organisations are concerned at the prospect of legal or regulatory action following a data breach;
84% are concerned that customers will trust the organisation less;
81% are concerned about the financial impact of recovering from a breach;
79% are concerned that customers will stop using the company.
" Businesses suffering breaches have maybe had a bit of an easy ride from consumers until now, but that is changing. Increasingly, I think the effectiveness of the response is what an organisation will be judged on. If they are found wanting, that is where the reputation will suffer, not just because the breach happened in the first place. "
Claire Snowdon, Director, Regester Larkin
These fears are well founded. The potential regulatory impacts – from fines and reparations to the costs associated with remedial action – are well known, but changing consumer attitudes could drive more far-reaching and persistent damage.
The research found that the UK public is very conscious of the risks posed by data breaches. People are, in general, concerned about them, and agree that their perception of a business would change if it was affected by a data breach that compromised their personal information. What's more, it seems that being affected by a data breach could be likely to convert a significant number of customers into 'brand detractors', who would amplify negative reputational effects by advising friends and family against the organisation.
According to the research:
64% of British adults are concerned about falling victim to a data breach in the future;
80% say their level of trust would decrease if a company lost their personal data;
63% of British adults say they are likely to leave an organisation if a data breach occurred;
67% would advise friends and family against the organisation.
Overall it seems that customer perceptions of data breach are on the move. Consumers are less understanding, and less willing to see organisations affected by data breaches as 'victims'. Rather, they increasingly believe that data breaches come as a result of the organisations' own failures – failures in procedures, security and data controls.
The research findings clearly bear this out:
90% of British adults think companies should educate their employees on data security;
88% think companies should have measures in place to prevent a data breach;
84% think companies should be penalised for compromising their customers' personal information;
83% think companies should be subject to increased regulation to better protect customers.
While consumers have clear attitudes as to accountability for the protection of personal information, this is further underpinned by a widespread apathy towards protecting their own information online, even in the event of being notified of a breach – making the potential end results of becoming victim of a data breach even farther-reaching.
54% of those affected didn't change the password on the affected online account when notified of a breach;
Just 35% changed the password on other online accounts;
83% made no change to their online behaviour at all after being notified of a data breach.
" We have already reached a situation where the cost of lost business following a breach accounts for almost half of the overall financial impact. This financial 'halo effect' has grown rapidly over recent years and will continue to do so. This is an issue that businesses simply cannot afford to ignore. "
Jim Steven, Head of Data Breach Services, Experian
This increased public awareness of data breach, the likely heightened effect on reputation and customer loyalty, as well as the multiplying effect of 'adverse advocacy' adds a new dimension to the financial impact of a data breach – creating a 'halo effect' of financial and reputational implications.
That is, organisations affected by data breach who have not adequately prepared will increasingly suffer costs associated with lost business as well as the direct cost of fines and data breach response activities. Indeed, according to the Ponemon Institute's Cost of Data Breach 2014, this indirect cost of lost business now accounts for around 43% of the total cost of a data breach. The Ponemon report concluded that:
On average lost business costs associated with "...abnormal turnover of customers (a higher than average loss of customers for the industry or organisation), increased customer acquisition activities, reputation losses and diminished goodwill" stood at £950,000;
The total average cost of a data breach, including costs like breach detection, escalation and response costs was £2.21 million.
This 'halo effect', then, almost doubles the total financial impact of the average UK data breach – what's more, the costs associated with consumer action and reputational damage have risen rapidly over recent years. According to Ponemon Institute figures, lost business costs have increased by 22% since 2011 .
The Business Response: Ready for Anything?
The research tells a two-part story about UK business' readiness to respond to data breaches. In essence, it is a story of misplaced confidence, and response plans built up by a costly process of trial and error.
On the surface, businesses are broadly confident. When questioned, they suggest they are well prepared to respond to a data breach:
79% believe their organisation is prepared to respond to the theft or loss of sensitive and confidential information that requires notification to victims and regulators;
81% believe the organisation understands what needs to be done following a data breach to prevent the loss of customers' and business partners' trust and confidence;
76% say the organisation understands what needs to be done following a material data breach to manage negative media or public sentiment.
Look below the surface at real plans and readiness, however, and the picture is far less positive. The reality is that preparedness is patchy at best and all important customer engagement is almost an afterthought:
34% do not have data breach response plans in place, and even of those who do, those plans are less than comprehensive – a quarter do not include specialist crisis communications (23%) or legal (27%) support, and almost two thirds (63%) do not include digital forensics;
Only one third (33%) have specific budgets set aside to deal with data breaches;
Less than two-thirds (61%) have reporting procedures in place for lost data or devices (e.g. company laptops or phones);
Less than half (43%) have data breach or cyber insurance policies in place;
Just 47% would notify customers 'as quickly as possible' following a data breach;
Less than a quarter (21%) would offer an identify protection service to existing customers, and only 10% would offer a credit monitoring service.
The fact that data breach response planning and readiness is so patchy perhaps explains why so many UK organisations affected by breaches go on to be affected again, at least once, within two years; 57% according to the research.
" In terms of readiness to respond to a data breach effectively, I think the average UK business scores about 5.5 out of 10. They know it's an issue but those who have not yet suffered a breach really do not understand what a massive problem it can be. There is still a lot to learn. "
Margaret Tofalides, Partner and Head of UK & EU Data and Cyber Security Practice, Clyde & Co LLP
Trial and Error
" We've seen companies go into a breach situation without an effective response plan in place. They are essentially learning in live situations, and pretty quickly come to appreciate the full implications of a breach and the complexities involved in a breach response. You can be sure they had plans in place the next time around. "
Michael Bruemmer, VP, Consumer Protection at Experian Consumer Services, US
It's evident that UK organisations are underestimating the complexities in planning for and delivering an effective and well-rounded data breach response, until it is too late. This is borne out by the research findings, which clearly demonstrate improved planning and readiness amongst organisations that have already been affected by a breach. In essence, it suggests that UK businesses' data breach response planning is an iterative process of trial and error:
To continue reading click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
