A “Full Recovery” Approach to Data Breach ResponsePOSITION PAPER
In data breach situations, organizations have
typically responded with “damage control”:
legally required notification of the individuals
whose data was lost, plus public relations
efforts to mitigate bad publicity over the breach.
While damage control is an understandable
response to a data breach emergency, studies
indicate that the greatest risk of a data breach is
not legal liability or short-term public perception.
The greatest risk, and cost, comes when the
breach victims have a bad experience, take
their business elsewhere, and tell their friends
and family why. Businesses can avoid this lost
business and abnormal customer churn by
adopting a proactive, “full recovery” breach
response model that leaves the business and
the breach victims whole.
The Triple Threat of Data BreachData breaches are a reality of life for US
organizations. While Etiolated.org reports that the number of publicized breaches appeared to be leveling off in 2006-2007, the number of records lost per breach more than doubled from less than 150,000 in 2006 to more than 340,000 in 2007. In these situations, most companies respond to the obvious threats — the legal and regulatory risks and the damage to their public image — but most fail to deal with the costly and insidious threat of long-term business loss.
While corporate data may be lost in a breach, it is more difficult to assess the financial and emotional risk to customers, employees, patients, and other individuals whose personal data has been
compromised. These risks are serious enough that about 30% of U.S. corporations have a formal “privacy” department, and more than 25% have a Chief Privacy Officer, Chief Security Officer or Chief Information Security Officer. These guardians of privacy are well aware of their corporate duty in the event of a data breach. A majority of states have some form of legislation requiring notification of individuals affected by a privacy breach, and in certain industries customers are protected by national regulations such as the “Red Flag Rules” in the Fair Credit Reporting Act (FCRA), the Health Information Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA). Failure to comply with these notification requirements can leave an organization open to regulatory action and also to legal action from the affected individuals.
loss of business caused not by public perception, but by the very personal experiences of the people affected by the breach.
True Costs of Data Breach Response
According to a recent study by the Ponemon Institute, the costs of data breach response (as shown in Figure 1) are rising: average cost in 2007 was $197 per lost record, an 8% increase over 2006 and a 43% increase over 2005. Businesses are trying to save breach response costs through reductions in notification costs (mail vs. call center services) and credit monitoring services. However, Ponemon found that lost business, not response costs, now accounts for 65% of data breach costs, and that lost business costs are increasing at a rate of 30% each year.
60% of respondents had or were contemplating ending their business relationship with the breached
organization. In the worst case, they may take legal action, as reflected by the rising costs of legal defense after data breaches. Over time, the cost of acquiring new customers also increases, due to bad PR from the breach and as the individuals affected by the breach share their experiences with others.
A data breach can put an organization in legal and regulatory jeopardy, and it does cause unanticipated costs that affect short-term financial results. But the greater risk is that a data breach injures an organization’s credibility and long-term business prospects, and it injures the people whose data has been lost.
The Trust Factor
Customer experience is the key to avoiding or
containing long-term business loss from a data breach. Statistically, a minority of data breaches led to large-scale identity theft, yet a 2005 study by Ponemon Institute found that more than 86% of those affected by a data breach are fearful of potential negative effect on themselves and their families, and over 58% felt it had diminished their trust in the organization reporting the breach. Breach victims cited a whole range of reasons for these negative perceptions: confusing and/or incomplete communication, delays in notification, and support or assistance that was not perceived as helpful. The bottom line is that in almost 60% of cases, the victims were left feeling vulnerable, unsupported, and/or damaged.
While businesses are seeking to reduce the up-front costs of data breaches, it is clear that the most costly response is a response that does not meet the needs and expectations of the breach victims. To formulate a financially sound response to a data breach, businesses need to consider what it will take to maintain a positive relationship with the breach population.
A Full-Recovery Model
For their own financial health, organizations need to take a more proactive, outcome-oriented approach to data breach response, aiming for “full recovery” for themselves and those affected by the breach. In a full recovery model, the affected population is informed promptly, clearly, and in a manner appropriate to their needs; they are provided with protection against and recovery from ID theft; and at the end of the experience, they remain as loyal customers, employees, clients, or patients. Full recovery for the breached organization means that public credibility, business relationships, and business prospects are preserved, and the cost of breach response services is far outweighed by the goodwill it engenders and the income streams that it protects.
Full recovery from data breaches depends on
targeted, well-executed responses at each stage of the data breach lifecycle (as shown in Figure 2).
Figure 2: The Data Breach Lifecycle
BREACH ASSESSMENT: During this phase, businesses need to determine the nature of the breach, the level of exposure and the probable risks to the organization and to the breach population. The recovery plan should be aimed at meeting the unique needs of the breach population and at achieving the best return on breach recovery costs (more about this below).
BREACH RESPONSE: Response activities center around notification of the breach population. Communications should be tailored to the needs and concerns of the breach population. For example, an elderly population may need accommodations for hearing or sight issues, or care-givers may need to be included in the communication. If the breach population includes people for whom English is a second language, notification letters may need to be translated, and call centers should have staff fluent in the needed languages. Call center staff should be fully prepared to handle notification, questions, concerns, and problem resolution. Face-to-face meetings may also be appropriate for breach victims at high-risk or with special needs.
BREACH VICTIM PROTECTION: ID theft protection for the breach population can include a variety of services, including advice on how to use credit monitoring, enrollment-based protection packages that includes services such as credit monitoring and public database monitoring, and insurance to cover any financial losses and/or legal costs directly associated with the identity theft. ID THEFT RECOVERY: For an individual to recover from identity theft it can take months or years, hundreds of hours of their time, and untold stress. If the worst happens, and any members of the breach population do become victims of identity theft, recovery services should be available to restore their financial status. The victim should have only to fill out some basic paperwork and sign a very limited power of attorney. With these in hand, a qualified
costs of changing account numbers, etc., and the costs of providing services such as credit monitoring for a year, but not the long-term costs of lost business. Breached organizations have tended to view credit monitoring as the "standard" protection to be provided in a breach situation. But Ponemon Institute research finds that consumers are not highly valuing credit monitoring as a complete corrective solution, as indicated by low and declining rates at which breach members opt-in to a credit monitoring offer.
Since the greatest costs of breach come from consumer dissatisfaction with breach response, the best “return-on-response” is achieved by investing in high-value assessment and high-touch response services that properly inform and reassure breach victims, then choosing protection and recovery services that are appropriate to the actual risk and that are bulk-priced based on the size of the breach population. This kind of offering will also be more cost effective and more predictable for the breached organization.
In contrast with credit monitoring alone, recovery services in conjunction with monitoring has an excellent return on response cost. Not unlike the case for insurance, in most breach situations the odds are relatively low that any given individual will have their identity stolen. But pre-paid recovery services can provide all breach victims with greater peace of mind, and the small minority who may fall victim to ID theft will be far less inclined to publicize their plight or litigate if they have the benefit of fully-managed recovery services. And expert recovery services can also protect the breached organization from spurious
breach response, even though individual breach victims are notified and offered a number to call, they often end up dissatisfied with the quality of response and become distrustful of the organization. This causes response costs to increase due to inefficiencies of dealing with disgruntled and concerned individuals in the midsection of this funnel. This results in the use of more call center time and customer
dissatisfaction leads to lost business and litigation.
Figure 3: Best Return-on-Response Achieved
when each Stage of Funnel is Optimized
With a full recovery model, in contrast, a more personal and tailored response causes the breached individuals to maintain very high levels of customer satisfaction at every stage. As breach victims regain trust with the organization, they spend less time with call center staff, often enroll in fewer protection services, and are less likely to pursue litigation and/or take their business elsewhere. So an optimized full recovery approach to responding to a data breach will often be no more costly than a less complete
approach in terms of out-of-pocket costs, and will also typically result in a better return-on-response because of the reduction in longer term costs of lost business and litigation.
Data breaches take their toll on a business, but the heaviest toll comes from a breach badly handled. Customer reactions may range from loss of trust to offense, outrage and even litigation. Data breaches in large, highly visible organizations often get media attention, and breach victims will talk to others about their experiences. The combination of word-of-mouth and public perception can greatly affect future business prospects. When responding to a breach, organizations need to think in terms of protecting current and future business and getting the best return-on-response. And since breach response presumably isn’t (and shouldn’t become) one of your core business competencies, consider hiring a full service breach services vendor who can help you achieve full recovery for both breach victims and your business.