Over on The New School of Information Security, Adam has a post that those of us who report on breaches or comment on the impact of breaches need to read, and I do encourage everyone to watch the video and read his entry. The bottom line of his post is that security breaches do not hurt brand.
Not everyone agrees with his conclusion, of course. George Hulme, for example, recently wrote that he thinks the data supports a conclusion that brand is hurt.
I can think of two specific cases where a company did fold or go under following a breach: Verus, Inc. folded after a firewall configuration error resulted in their hospital clients’ online bill payment systems exposing patient account information. And Spicy Pickle closed their two locations following a POS breach that victimized 150 customers. The owners said they never recovered sales levels.
Other than those two cases, I cannot think of any other such drastic results from a data breach. Are they ‘enough’ evidence to suggest that statements that breaches don’t hurt brand may be too sweeping or overly broad? I would like to see Adam respond on his blog to the studies George Hulme cites and isolated reports of businesses folding. If we tell businesses that “breaches don’t hurt brand,” are we going too far in the anti-FUD direction?
Terry Sweeney (and Adam) may be right in claiming that there is no lasting harm to brand – but they may need to qualify that assertion to add “if the company is big enough to survive an immediate hit.” And perhaps they also need to consider that even when companies rebound following an initial hit in sales or stock prices, they may not grow as much as they might have.
Not that anyone may care or that it significantly impacts their bottom line, but I never used a credit card at TJX again following the disclosure of their breach. That means that I have purchased less and essentially stopped shopping at their stores. Most people will not have the type of extreme response I had, but how much higher might TJX’s profits be now if they hadn’t had a huge breach in 2007? TJX may have rebounded, but how much churn did they experience from the breach?
[corrected the name of Adam’s blog].
Note: Larry commented on Adam’s blog that CardSystems also had a severe consequence as a result of a breach affecting 40 million. I had forgotten about that incident, but he’s right.
I’m working on a longer response, but we’ve had a thousand breaches since CardSystems, and even you forgot about it.
Yeah, but I’m old. I forget things anyway, even if there hadn’t been 1,000 more breaches since then. 🙂
I look forward to seeing your response – particularly to the studies with data.