Today’s blog focuses on misconceptions surrounding the long-term impact of data breaches. The short-term financial, legal, compliance, regulatory, public relations and reputational damages are absolutely undeniable. However, the issue centers around whether breaches really have the long-term impact that people initially suspect they will.
One of the biggest questions here is “how long do customers remember?” More importantly “are data breaches at businesses, like retailers, ultimately overshadowed by customer shopping habits and personal convenience?”
The other day I heard a random comment about Target which was basically “they’re right back where they were before the breach…almost as if it never occurred.” This led me to ponder whether Target’s information incident had the kind of long-term impact on them (or any other business that’s been victimized by a breach) that prognosticators forecast it would.
Target’s security event occurred during 4Q 2013, impacting 40 million customer’s debit and credit card accounts.
The Short Term Impact
Customers Bail: Articles speculated that the breach would have long-term impact on Target. In the rush to judgement immediately afterwards, many customer’s wrote Target off. “You just lost a life long customer.” “If you can’t even protect customer’s personal information, or privacy, how can we trust you enough to shop there?” Common consumer sentiments, post major fraud event indeed.
Breach Losses: An April 9, 2015 TechRepublic piece placed Targets total losses at a little over $250 million dollars. When they subtracted insurance claims payments, and tax write-offs, losses fell to around $100 million. Settlements with banks, card companies and a class action lawsuit contributed significantly to the total loss figures.
Management: The “buck stops here.” CEO departs. Enough said.
Profits: Profits fell nearly 50% during 4Q 2013 however, the breach occurred late in the quarter. So, it’s unclear how much of the profit decrease was directly attributed to the incident versus other non breach related business costs which would have occurred absent the breach.
The Long Term Impact
Customer’s Return: It’s been almost 3 years since the Target data breach. Target hasn’t been boarded up, like so many other money losing retailers have (seen a Sports Authority store lately?). The reality is that Target’s still in business, stock prices have rebounded and customer’s are going back there to shop.
Stock Prices: At the end of 2013, Target’s stock was trading around $63/share. Today, it’s trading around $67/share. The March 31, 2015 Harvard Business Review explains Why Data Breaches Don’t Hurt Stock Prices.
Management: New CEO running the ship.
The Bottom Line
All this begs the question of whether consumer’s weigh personal conveniences and choices more than data breaches? We all have to shop, right? Or have we just gotten so in-sensitized to data breaches that their sheer volume just doesn’t impact us any more? Meaning, after the original shock wears off we’re all going to eventually return to our normal, pre breach habits.
The reality is, that consumer’s truly don’t have a long memory, hold grudges or stop patronizing entities that have had a data breach long-term. If they did, there would be no places left for us to shop, get healthcare, bank, get credit cards, travel, manage our municipalities or get groceries from. You get the picture…there have been data breaches in every one of these industries.
Again, this is far from a scientific study. But there are many other large businesses who’ve experienced a massive data breach and it hasn’t resulted in the “out of business sign” being hung on their door either. Some financial services companies, like Heartland Payment Systems, have even had more than one (2008 & 2015) and they’re still around.
A data breach can be lethal to small businesses. However, the reality is that they truly don’t appear to have the same type of long-term, non financial, impact on larger businesses that the “gloom and doomers” always predict immediately after the event occurs.
About the Author: Daniel Draz, M.S.,CFE is a recognized leader in the fraud profession. Fraud Solutions provides innovative enterprise fraud risk management consulting, fraud strategies, fraud risk assessments, fraud training, fraud content, subject matter expertise, thought leadership and insightful observations to clients across industry verticals.