Just about every day now, we read or hear about data breaches, and some of us are actually victims of them. Some organizations are even preparing a breach response plan in advance, just assuming that one day, perhaps soon, it will have to be implemented. Developing the right response for your business requires an understanding of the consequences of data breaches on the behavior of your customers, regulators, investors and vendors, among other constituents. While this topic is worthy of further research, a pattern is beginning to emerge.
Consumers are vulnerable to the unauthorized release of their personally identifiable information (PII) that organizations store. PII can include a name, address, phone and social security numbers, financial information, such as credit card and bank account numbers, and health information, among many other forms of personal data. Judging from the announcements available to date, breached companies have attempted to make things right with their customers but doing as little as offering a form of apology to providing free credit monitoring service, usually for periods ranging from 12 to 24 months.
It’s unclear how consumer loyalty is affected by data breaches, but there doesn’t yet seem to be evidence that consumers are abandoning affected merchants. If you were walking down the street trying to decide which diner would best satisfy your lunchtime hunger, you might be inclined to pass the one exhibiting a health inspection score below ‘A.’ If a similar rating score for cyber hygiene were to appear on business storefronts, might you favor Lowes over Home Depot if the scores were materially different? At what point does cyber hygiene affect consumer behavior? Today, it feels as if consumers treat breaches as inevitable or simply a nuisance. It is possible that, over time, consumers will become more discriminating by favoring those merchants that treat their data more securely.
If consumers have become resigned to living in an insecure world, regulators at the federal, state and local level, and litigants, are taking matters further in an attempt to receive compensation and to get organizations to raise their cybersecurity game.
The Federal Trade Commission exists to promote competition and protect consumers. It has brought over 50 cases against companies experiencing data breaches since 2002, resulting in cash settlements. Their cases reinforce the need for organizations to take basic, common sense approaches to good housekeeping. FTC cases have highlighted the need to be responsible data stewards, control access to data sensibly, require passwords and authentication, store PII securely and protect it during transmission, monitor the network, apply sound security in new product development, use secure service providers, remain vigilant and address vulnerabilities promptly, and secure physical (e.g. paper) media and devices.
The U.S. Securities and Exchange Commission largely have limited their prosecution of cybersecurity cases to broker dealers, investment advisors and transfer agents. Their October 2011 disclosure guidance offers registrants reasonably broad latitude as to the timing and extent of disclosure. They face pressure from Congress to improve the level of transparency regarding security breaches and address concerns that the amount of data for investors to make informed decisions is inadequate.
Activity at the state and local level should sustain, and probably increase, pressure to improve cybersecurity practices. For example, Comcast agreed to pay $33 million as a settlement for disseminating the names, addresses and phone numbers of some of its Xfinity customers in California that had paid the company a monthly fee to keep such information unpublished. Only a portion of that settlement will reach affected customers, although Comcast has agreed to issue a credit of $100 and refund the fees paid during the breach period, and make other restitutions depending on circumstances.
While consumers may be somewhat forgiving of insecure merchants, businesses have more at stake when it comes to dealing with insecure vendors. The Target breach that was announced in December 2013 popularized the notion that a company’s security is a function of the security at its third party vendors with access to their network. Traditional vendor management practices require vendors to fill out a questionnaire or submit to a penetration test. However, those measures can be incomplete or incorrect, and irrelevant the day after they are performed given the prevalence of breaches today. A group of emerging companies now offer rating services that quantitatively, and unobtrusively, assess a company’s cyber hygiene. With Boards of Directors now taking cybersecurity seriously, it is only a matter of time before every company takes a daily look at their cyber rating, and that of their vendors with network access, as an individual might look at their FICO score. Vendors that don’t measure up may be given time to improve their practices, but ultimately poor cyber performance will be cause for termination.
The notion that a company can simply ‘pay off’ aggrieved customers and carry on business as usual is flawed. Cybersecurity is a growing part of the trust equation that all of your customers calculate, and it is a matter of time before your poor hygiene turns them away for good.