Ponemon Institute, sponsored by Experian®, has released the findings of their Aftermath of a Data Breach study.

The study was conducted to learn what organizations did to recover from the financial and reputational damage of a data breach involving customer and consumer records.

Consumer and customer information collected by organizations is at great risk due to employee negligence, insider maliciousness, system glitches or attacks by cyber criminals. Since 2005, according to the Privacy Rights Clearinghouse (PRC), 543 million records containing sensitive information have been breached. PRC says this number is conservative because they track only those breaches that are reported in the media and many states do not require companies to report data breaches to a central clearinghouse.

In 2011, what is considered the biggest consumer data breach ever occurred. As reported by PRC, as many as 250 million consumers received notices telling them that their email addresses and names were exposed. Another significant data breach took place at the end of the year and involved the theft of credit card information.

The organizations represented in this study have had at least one data breach involving customer and consumer records in the past 24 months.

A summary of the study is below: 

All of the organizations in the study had at least one data breach involving consumer information and 85% report that more than one breach involving customer/consumer data occurred in the past 24 months.

In the aftermath of a data breach, IT respondents believe the following:

  • They are more confident than senior leadership about the ability to keep customer data secure from future breaches.
  • By far, negligent employees, temporary employees or contractors make organizations vulnerable to future breaches. Accordingly, conducting training and awareness programs and enforcing security policies should be a priority for organizations.
  • Privacy and data protection became a greater priority for senior leadership following the breach. As a result, IT security budgets for most organizations in this study increased.
  • They are concerned that customer data stolen from their organizations will be used to commit identity fraud.
  • The top three actions believed to reduce the negative consequences of the data breach are hiring legal counsel, assessing the harm to victims and employing forensic experts.
  • Lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored.

In Ponemon’s previous study, Reputation Impact of a Data Breach, the findings reveal that it can take a year to restore an organization’s reputation with an average loss of $332 million in the value of its brand.

For purposes of this study, they asked respondents to focus on the one data breach they believe had the most significant financial and reputational impact on their organizations. The study is organized according to the following three topics:

  • Circumstances of the data breach
  • Response to the data breach
  • Impact of the breach on privacy and data protection practices

In most cases, sensitive data lost or stolen was not encrypted

  • 60% of respondents say the customer data that was lost or stolen was not encrypted
  • 24% said the data was encrypted
  • 16% are unsure

Organizations report that their most sensitive data was lost or stolen

Respondents to the study were asked to focus on the one data breach that had the most severe consequences for their organizations.

What type of data did your organization lose? %
Name 85
Address 69
Email   address 70
Telephone   number 58
Age 43
Gender 35
Employer 20
Educational background 18
Credit card or bank payment information  45
Credit or payment history 41
Password/PIN 48
Social Security number (SSN) 33
Driver’s license number 29
Other (please   specify) 9
Don’t know 11

Insiders and third parties are most often the cause of the data breach

What was   the main cause of the data breach?  %
Negligent insider 34
Malicious insider 16
Outsourcing data to a third party 19
Systems glitch 11
Cyber attack 7
Data lost in physical delivery 5
Failure to shred confidential documents 6
Other 2

Data breaches reduce an organization’s productivity

50% of respondents say the most negative consequence of the breach was the loss of productivity. In the aftermath of a data breach, key employees may be diverted from their usual responsibilities to help the organization respond to and resolve the data breach.

This is followed by

  • 41% a loss of customer loyalty
  • 34% legal action

Data breach response strategies need improvement

  • 50% believe the organization made the best possible effort following the data breach
  • 30% say that it was successful in preventing any negative consequences from the data breach
  • 27% believe their data breach notification efforts increased customer and consumer trust in their organization
  • 63% believe their senior leadership views privacy and data protection as a greater priority than before the breach

Prompt notification and assessment of harm to victims are the steps most often taken in response to a data breach

The study reveals that the top three data breach response activities

  1. prompt notification to regulators as required by law
  2. prompt notification to victims by letter
  3. careful assessment of the harm to victims

New steps are taken to reduce negative consequences

Prompt notification to victims is no longer considered most helpful in reducing the negative consequences of the data breach.

The respondents indicated that the most helpful steps are:

  • retaining outside legal counsel
  • carefully assessing the harm to victims
  • hiring forensic experts

Credit monitoring and identity protection services are not often offered to victims

Despite the fact that many organizations lose the loyalty of their customers following a data breach services that might maintain or even strengthen the customer’s relationship with organization are not offered as frequently on a voluntary basis.

  • 30% say they offer credit monitoring services
  • 19% say they offer identity protection services such as credit monitoring and other identity theft protection measures, including fraud resolution, scans and alerts.

If services are offered, they are provided for one year or less

Company’s data will be used to commit other types of identity fraud

While many of the respondents are confident about protecting their customers’ personal information, 64% say they are concerned that now that the data may be in the hands of criminals it will be used to commit other types of identity fraud.

Impact of a breach on privacy & data protection practices in the aftermath of a breach, senior leadership believes the organization is more vulnerable to a breach

  • 49% of respondents say senior leadership believes the organization is more vulnerable to future data breaches
  • 27% of the IT respondents say the organization is more vulnerable, indicating their confidence in preventing future breaches
  • 28% believe their customers’ personal information is at greater risk since the data breach occurred

Lessons learned may improve privacy and data protection practices

Responding to the breach improved organizations’ understanding about how to investigate a future breach.

  • 66% say that the experience of investigating the causes of the breach will help them in determining the root causes of future breaches
  • 61% believe employees are more aware of the need to protect sensitive and confidential information. Training and awareness is the most often cited activity put in place to prevent future data breaches

Privacy and data protection became more of a priority and IT security resources increased following the data breach

  • 61% of respondents say their organizations increased the security budget
  • 28% hired additional IT security staff
  • 9% say they increased the budget for the compliance staff
  • 4% say they hired additional privacy office staff

Organizations are now minimizing the amount of personal data collected, shared and stored

  • 31% say the data breach had no affect on how the organization uses personal data yet
  • 49% now say they limit the amount of personal data collected
  • 48% now limit the sharing of this data with third parties
  • 42% say the organization limits the amount of personal data stored
  • 27% say the organization now limits the amount of personal information used for marketing purposes

Ponemon’s Conclusion

We conducted this study to better understand how a data breach affects organizations over the long term. It is interesting to note that it took a serious data breach that had both financial and reputational consequences to make privacy and data protection a greater priority and allocate additional resources to the IT security function. While many respondents were unable to determine the root cause of the data breach, there is a consensus among respondents that insider negligence is making their organizations vulnerable to a data breach. As a result, organizations are investing in training and awareness and technologies that minimize the human factor risk.

The findings also show the concern organizations have about losing the loyalty of their customers. Of the IT practitioners surveyed, few felt that prompt notification to victims is helpful in reducing the negative consequences of the data breach. This suggests that compliance with data breach notifications laws is not sufficient if an organization is concerned about customer loyalty and reputation.

For a full copy of the Ponemon / Experian study click here (registration is required).