The period following a data breach is not an easy one for companies. Lots of time and money are spent to effectively manage a crisis, with even more time and money spent on the aftermath. These expenses include members of the IT and security teams upgrading their security solutions; management and HR conducting security training for employees; and the crisis communications team talking to customers, stakeholders, and the general public to earn back trust. The way a company manages a data breach directly impacts its reputation after the dust settles.
To see just how much of an impact this makes, we took a look at different quantitative and qualitative data to understand what really happens to a company’s reputation after a data breach.
Get the Free Pen Testing Active Directory Environments EBook
Table of Contents
- Who Do Americans Still Shop With After a Breach?
- Age and Gender’s Influence in Company Reputation
- Importance of Reputation in Business
- Tips to Recover from a Data Breach
What Do Americans Really Think About Companies After a Breach?
We surveyed 1,000 Americans to see what type of company they are most likely to still shop with after a business experiences a breach. We found that people are most likely to shop with a retail store and least likely to shop with a rideshare service after a breach.
One thing to note is that we included names of companies that have experienced prominent breaches for each question. We added Target to the retailers option (the winning choice in the survey) and Uber to the rideshare service option (the least favorable option in the survey).
Americans Trust Retailers the Most
Target’s breach lasted from November 27 to December 15, 2013. They detected their breach in 16 days and disclosed it to the public 20 days after discovery.
Many criticized Target for the time it took to notify the public about the breach. This was one of the largest data breaches at the time and it sparked a lot of discussion around POS security, consumer data safety, and many other concerns that were not heavily discussed prior to the breach. Thanks to their many efforts to improve their security and win back customers, Target appeared to turn their unfavorable reputation around in the years following their breach.
Months after the breach, Target posted a list of their security and technology enhancements on their corporate site. Improvements included enhanced monitoring and logging, reviewing and limiting vendor access, and enhanced security of accounts. Their robust and quick implementation of improvements, especially at a time when these breaches were not as prevalent, may have positively swayed public opinion.
Target is also known for having a loyal customer base, which may have come in handy for their strong bounce back. The Huffington Post attributes this loyalty to things like convenience, visual appeal, and the strong sense of community Target provides for different customers. Forbes also cites their investment in customer service-oriented employees as a contributing factor to their strong overall reputation.
We can see that Target’s consumer perception took a 54.6 percent dip the year following the data breach. In the following years, there was a generally steady uptick with an 84 percent increase from 2014 to 2018. A small dip in 2016 is likely attributed to the controversy regarding Target’s stance on allowing transgender customers to use dressing rooms and restrooms for the gender they identify.
As we mentioned, Target’s strong brand loyalty and efforts to improve their security system are two factors that likely contributed to this uptick. We conducted this survey six years after Target’s data breach, making Target the company with the oldest breach represented in the survey. This may have factored into their high favorability in this study since their breach was less recent and they had more time to recover.
Americans Trust Rideshare Services the Least
Uber’s breach occurred in October 2016 and the company discovered it a month later. Instead of disclosing the breach, Uber paid hackers $100,000 to delete the data and stay quiet about the incident. Uber finally disclosed the breach in November 2017 and met lots of repercussions including fines, sanctioned security protocols, and diminished customer trust.
In contrast to Target, Uber’s critics were much tougher on them because they broke laws regarding breach notification. Many state attorney generals were vocal critics and found fault with Uber’s choice to hide the breach and their overall disregard for security.
In our survey, more people held their trust with older industries like retail stores and hotels than with newer industries like social and rideshare. Consumers seem to be less forgiving about data breaches for companies in newer industries. This means that those businesses need to be extra careful about how they handle customer data.
A big difference to note in this instance is that Target dates back to 1902 while Uber only started in 2009 (under a different name). The rideshare industry only started in 2007 with Zimride. Therefore, Uber had less time than Target to build up their brand reputation, less time to recover from the breach at the time of the survey, and is in a relatively new industry.
However, Uber also had several other controversies occur in their short history, including their “God’s View” software that was reportedly used to track real-time locations of passengers (including politicians and ex-girlfriends); issues around underpaying drivers; and a sexual harassment settlement among other accusations of sexism within the company. These issues likely added to the quick drop in consumer perception.
We can see here that Uber’s consumer perception dipped 141.3 percent the year they disclosed the breach. Even with a month left in the year (since they disclosed their breach in November), the negativity surrounding Uber as a company and their actions specifically related to the breach were likely enough to plummet their rating.
Influence of Age and Gender in Company Reputation After a Breach
We noticed a few trends in age and gender in relation to where a person would still shop after a data breach. Take a look at our findings below.
In our survey, we found that millennials were less trusting overall of different institutions after a data breach. You can see above that even for retail stores, the winning answer in our survey, millennials still trusted this institution the least in comparison to other
Several studies and reports have found that millennials are complicated when it comes to trust. CIO reported that millennials are generally suspicious of businesses, while Forbes reported that millennials were once trusting but have a general erosion of trust thanks to the rise of large-scale data breaches.
When diving into gender, we found that a business’s core demographic may influence how quickly customers will continue shopping there.
For example, we found in our survey that women were most likely to shop with retailers like Target after they’ve experienced a data breach. Target’s core demographic is female and women are actually more likely to shop at similar retailers than men. This means that there may be a relationship between the two. We also found that rideshare services were more trusted by men in our survey and that men use Uber slightly more than women.
The Relationship Between Data Breaches and Reputation
We now see that consumers care a lot about data breaches and how companies manage them. In fact, if a breach is poorly managed, consumers are likely to lose trust, dissociate from the business, tell their network about the breach, and shop with a more secure competitor.
A Centrify study found that 65 percent of data breach victims lost trust in an organization as a result of the breach. IDC found that 80 percent of consumers in developed nations will defect from a business if their information is compromised in a security breach.
On top of lost trust, companies also need to worry about the networks of directly affected customers. An Interactions Marketing survey found that:
- 85 percent tell others about their experience
- 33.5 percent use social media to complain about their experience
- 20 percent comment directly on the retailer’s website
The magnitude of any data breach is far-reaching thanks to the internet. A company’s widespread negative reputation specifically from a breach can damage their overall reputation more than they realize. This can ultimately impact their bottom line. Security Magazine reported on a study that found:
- 52 percent of consumers would consider paying for the same products or services from a provider with better security
- 52 percent of consumers said security is an important or main consideration when purchasing products or services.
Tips to Recover from a Data Breach
Now that we know the facts, what can we do next? Past high-profile breaches give us examples of what to do and what not to do after a breach. Take a look below to see what you can do to gain customer trust and ethically build up your reputation following a data breach.
Actions to Take After a Data Breach
Be the first source to break the news. This proves transparency between you and the public, plus it allows you to control the narrative surrounding the breach. Letting another source break the news automatically puts you on the defense and at a disadvantage according to global crisis, risk, and reputation strategist Davia Temin in a Forbes article analyzing the Target breach. Temin also advises getting the bad news out all at once when possible and responding thoughtfully and thoroughly to any correspondence.
Engage in threat-sharing. There are a handful of organizations and initiatives your company can join following a breach. These groups share information about their breaches to educate the security industry about evolving threats. This ultimately helps everyone learn how to better defend themselves against constantly changing cyber threats. Target is one of the major companies that joined two threat-sharing initiatives following the breach.
Implement a robust notification plan. Notifying your customers, employees, and other relevant stakeholders is just as important as managing the breach itself. There are many people involved in the notification process, including:
- IT and cybersecurity professionals to convey what happened
- Legal professionals to vet communications and keep the company briefed of any related regulations they need to follow
- Public relations and C-suite executives to relay this information to the public
Having at least some of this planned out prior to a breach ensures a solid process is in place to distribute information as quickly and accurately as possible.
Hire a CISO and other security professionals. Leaders and professionals directly focused on cybersecurity can enhance your recovery efforts. It also makes a statement to the public that you’re serious about fixing your mistakes and making a strong push to strengthen your cybersecurity efforts. Target and Sony hired their first CISOs after their respective breaches. Equifax hired Home Depot’s CISO to lead their recovery efforts since he aided in the home improvement store’s recovery.
Be transparent enough with all parties involved. Everyone related to the breach should know the necessary information. Consumers should know that their information was compromised and what you’re doing to fix the situation. Authorities should know exactly when and how the breach happened. However, there is a fine line to walk here. Disclosing too much information at the wrong time may give other hackers just enough knowledge to launch another attack while you’re trying to recover from the previous breach.
Regularly measure and report on your cybersecurity improvements. The aftermath of a data breach doesn’t stop after the news seems to back off and the waters begin to calm. Building long-term trust with the public includes active monitoring and work to prevent a future attack.
Yahoo’s string of breaches year after year is a prime example of why companies should prioritize cybersecurity efforts. Make sure you have a powerful and comprehensive cybersecurity solution to aid in your reporting and get an overall look at your cybersecurity landscape. A Statista study also found that 73 percent of people find it extremely important to fix the problem and stop the breach after customer data has been compromised.
Mistakes to Avoid After a Data Breach
Don’t pay off the hackers. This not only directly attacks consumers and public trust, but also fuels the hacking “market,” further validating hacking as a means of income. Like we mentioned earlier, Uber paid off hackers to delete information and stay quiet about the hack, and many people across the board condemned the rideshare company for this choice.
Don’t wait to notify the public. The longer you wait to notify the appropriate people about the breach, the worse the consequences from consumers and authorities may be. Uber, Equifax, and other high-profile data breaches suffered major criticism for the time they took to notify the public. Other things to consider in addition to reputational consequences are the legal repercussions of lagged notifications. The GDPR only allows you 72 hours to disclose the breach. Failure to follow that rule or any of the GDPR’s regulations can result in fines as high as $22.6 million or 4 percent of the company’s worldwide annual revenue of the previous year.
Don’t make any definitive statements until you confirm the facts. Going back and correcting a statement only makes a bad situation worse. Companies that do this can come off as unprepared and unprofessional — two things you don’t want your customers to perceive you as after you’ve compromised their information. Instead of trying to hastily get information out, give updates about when you can provide confirmation and be transparent about why you can’t disclose specific information at a given time.
Consult with different departments (public relations, legal, IT) to make sure the messaging and information is correct. Equifax retracted their statements multiple times and had several other hiccups following their breach (including accidentally directing their users to a phishing site) that left a disfavorable impression on consumers. Yahoo also revised their statements about the amount of accounts hacked during their breach. They originally reported that one billion accounts were compromised and later retracted that statement to say every account (3 billion) was involved. This mistake coupled with their string of hacks didn’t fare well with the public.
The way a company manages a data breach impacts its reputation and consumer perception. Companies should put in the proper time and resources to prepare, manage, and handle the aftermath of a breach. This will help them rebuild and strengthen their reputation and relationship with customers, employees, stakeholders, and the public. The time it takes to respond to and contain a breach is a major factor in the public’s perception of a company.
Having an incident response plan and engaging in effective threat modeling are proven ways to reduce the overall impact of a breach and have methods in place to strengthen consumer trust. Don’t put your company at risk and leave your reputation up to chance. Take a risk assessment to see how prepared your company is for a breach and what you can do to take the right steps towards minimizing potential threats.
CSO | CPO | Experian | Bank Info Security | Centrify | BrandIndex | CBS News | TechCrunch | Reuters | CNN Business | Washington Post | ZDNet 1, 2 | Morning Consult | WeLiveSecurity | Office of the Attorney General 1, 2, 3 | Boston Herald | FTC | The Guardian
This study was conducted for Varonis using Google Consumer Surveys. The sample consists of 1,000 respondents, with an average margin of error of 4.8 percent. This survey was conducted on February 26, 2019.