The news that Sage, the UK software company, has experienced a data breach adds that company to a rather inauspicious list. On both sides of the Atlantic, companies of the size of Home Depot, JP Morgan Chase, Sony, Talk Talk, Morrisons, Moonpig and Kiddicare have all been the victim of hackers in the last couple of years.
Unfortunately, data breaches have become something of a part of modern life. Society has accepted that companies hold vast amounts of their data, although there is an unwritten “data covenant” that requires that these companies take the necessary steps to prevent this data being hacked.
However, these types of breaches in the US are becoming more commonplace – there were 781 in 2015, an increase of 8.1% from 2014, and a rate of more than 2 breaches a day. When US consumers are notified of (yet another) breach, they would be forgiven for saying, to paraphrase 1980’s poodle permed rock band Whitesnake’s biggest hit, here we go again……..
It almost appears, therefore, that US consumers are becoming not necessarily immune to the effects of a breach, but certainly inured to them. It is as if they are now a part of everyday life. Matters are, however, rather different in the UK.
While US laws generally require companies to report data breaches, this has not been the case for all companies in the UK. The EU’s General Data Protection Regulation (“GDPR”) was designed to change this, but the Brexit vote could mean that this piece of legislation ends up in the Recycle Bin.
All of this means that any UK reported data breach is going to have a greater “shock and awe” impact on consumers by virtue of the fact that it is still big news. UK consumers appear to still place great store in the “data covenant”. Consequently, any breach may lead to reputation issues for the victim company if its customers transfer their business to competitors that they consider to be more trustworthy.
In financial terms, this reputation loss can be significant. Talk Talk has admitted to losing 101,000 customers after the breach it suffered in October 2015. The trading costs of this reduction in the customer base have been reported as £15million in Q3 2015 and a further £20million in Q1 2016.
For as long as companies continue to hold data about consumers, it is unlikely that this reputation risk will ever disappear. However, companies can mitigate their exposure by considering the data that they hold, where this data is held and the security controls that are operated around that data.
While giving consideration to these types of issues will help reduce the risk of a breach, companies also need to plan for what they will do in the event of a breach. A well written breach response plan that includes a PR strategy can help ensure that all reputation risks arising from a breach can be addressed in a proactive way.
Current reporting on the Sage breach indicates that bank account data and salary information of its customers may have been compromised. However, there has been none of the headlines that accompanied the Talk Talk breach.
It would therefore appear that Sage has minimised the impact of this breach on its reputation. This is clearly a good thing because, let’s face it, nobody wants their reputation to be tarnished by being mentioned in the same article as a 1980’s poodle permed rock band.