Risky business: The impact of data breaches

Not a day goes by without news about a security breach at a company.

In early 2015, fraudsters were found to be using credit card data stolen from Target and Home Depot to create Apple Pay accounts. The fraudulent accounts were then used to buy big ticket items. In particular, Target has been under siege by hackers. After the last major data breach, the impact on sales was large and long lasting. It seemed too soon to be compromised again.

These frequent security breaches reveal that many companies might not be taking these data breaches seriously enough.

But data security is more than an information technology issue. It is a marketing issue, because providing great customer service implies the protection of all customer data.

Sony Pictures found out the hard way what can happen when you make a colossal mistake like storing passwords in a file on your computer called “password.” While the Sony incident was politicized as a U.S. versus North Korea issue, it has debilitated Sony’s financial viability from a business perspective.

Quite simply, over the long run data breaches can have a severe strategic and financial impact on companies. Data beaches are – and should be – considered as a paramount strategic issue in the digital age.

Our research of 88 companies suffering data breaches has shown that the market reacts very negatively to such data breaches. Companies can lose as much as 3 percent of their market value over long run as a consequence of such data breaches.

Is the market having a knee-jerk reaction (“irrational antipathy”) to such incidents? We think not. When customers’ information is breached, they tend to reduce their dealings with the breached company.

Think of the incident as a violation of trust. It is not just loss of trust by current customers, but it has ripple effects in terms of negative word-of-mouth – especially in the age of social media. The old adage “there is no such thing as bad publicity” is trite. Customer information breaches are very bad publicity.

Our research shows that market value of retail service industry companies suffer a harsher negative impact than other industries. Such companies can lose, on the average, almost nine percent of their market value within 30 days of a breach announcement. We believe that the market reacts so severely to breaches for retail sector companies because retail customers are can be fickle and not loyal to brands. Any publicized negative event can lead to switching their business to competing firms.

Finally, the negative market reaction is severe regardless of how many customers are impacted. A breach of any size is viewed as a strategic blunder by the market.

Companies must assess their information risks and audit their information systems security policies and protection in the most rigorous manner. As a proactive approach, companies must take a lead in establishing rigorous customer information security standards.

Hackers are always a step ahead of companies, so there will never be a 100 percent breach-safe environment. Companies must establish a post-breach protocol of how they will inform, placate and compensate their customers. A good service-failure recovery has been shown to have the potential to generate goodwill. Customers can forgive and continue their relationship with a company if the data breach is addressed appropriately. And as is true in cases of other types of service failures, strong service recoveries even have the potential to create positive word-of-mouth exposure for companies.

While the media, technologists and business gurus tout the potential of big data, the increasing regularity of data breaches shows that with the potential comes peril. There are negatives, risks and consequences associated with holding incredible amounts of sensitive, personal and, in particular, financial data. Companies have to be responsible and strategic about “big data” – not just in its use, but also in preventing its abuse.

By Professors Arvind Malhotra and Claudia Kubowicz Malhotra