When you ask corporate leaders how a breach of data protection could hurt their organizations, you generally get the same basic answers: negative impacts on their bottom line, legal situation, brand strength, and so on. But there are additional layers of impact that rarely get talked about that are as bad or worse than the immediate impacts.
Let’s start with the more obvious areas of impact. When a breach of data protection occurs, one of the first impacts is negative publicity. Depending on the a variety of factors — the nature of the data and number of records involved, the particular industry, and the immediate response of the organization — the impact could be fairly short-lived, or continue for some time. Obviously, the longer the negative publicity lasts, the more of an impact for the organization.
Negative publicity in itself isn’t harmful — rather, what hurts are the changes it creates in the opinions and actions of stakeholders. For example, consumers or customers may start to rethink their relationships with the organization, and the next time their contract is up for renewal, they may give more thought to alternative providers with better data security records. This is one of the pernicious aspects of a data breach: if a company, such as a financial services provider, has customer contracts that are long in duration, the ultimate impact of a breach may not be felt until current customers’ contracts come up for renewal, which could be several years away.
A breach can also impact the company’s own employees — especially if the data that was compromised includes employee records. In addition to taking a hit to the morale of current employees, the company now has an uphill battle to recruit employees in the future.
Relationships with vendors and partners also suffer. Even if their records weren’t directly affected by the breach, external organizations could be understandably concerned that any proprietary information they’ve shared could be vulnerable to loss and theft, especially if top secret or intellectual property is involved. This could cause some partners and vendors to seek ways to distance themselves or even sever relationships, further hurting the organization.
If a company that has been hacked is publically traded, the hit in reputation almost always has another immediate financial impact: a decrease in market valuation. Suddenly shareholders are concerned as well — and that could mean shrinking availability of capital moving forward.
There are other financial impacts as well — beginning with the expense of public relations efforts to reassure stakeholders and the costs of hiring IT security consultants firms to plug the holes. Last but not least, if there are lawsuits involved, there will be legal costs and possibly even settlements to pay.
Damage below the waterline
As bad as all that sounds, there is another layer of damage that may be even more significant. When a breach occurs, it can easily become a major distraction, resulting in the reallocation of resources from critical projects that will create more profound problems soon, if not immediately — as well as further in the future.
To appreciate the dynamics of this problem, picture an organization as a ship. When a breach occurs, many members of the crew sense an immediate, existential threat — and naturally rush to that side of the ship to help. Many drop whatever they were doing and leave their duty stations unattended. Before long, the ship is listing and going off course. Meanwhile, the person whose job was to look out for sandbars (or icebergs) is no longer at his post, so the ship could face even bigger problems at any moment.
For an organization, this effect of a breach of data protection is significant — because at any given time the enterprise may have several or even many projects underway, each with its own priority level and time horizon. Some of these projects involve blocking and tackling — basic things that must be done to keep organizational processes working. Other projects may have longer-term goals, such as addressing broken internal processes or improving specific outcomes. Still others may be even longer-term, such as facilitating new product development, enhancing services to gain competitive advantage, etc.
It’s natural to have an all-hands-on-deck mentality when a crisis strikes — but by reallocating staff in the heat of the moment, the organization may lose momentum on some of these critical efforts. This can create additional negative impacts that, like the impact to the company’s reputation of long-term contracts, may not be felt for years after the initial breach.
The key point to understand is that often the true impact of a breach of data protection doesn’t happen once and then subside. It has the potential to ripple through the organization, disrupting performance and relationships for months or even years. All of which makes it more important than ever to takes steps to minimize the potential damage before the next hack occurs, while one has the luxury of time.