Customer data: valuable to have, expensive to lose
Barely a week has passed in 2015 without a data breach story hitting the headlines. Major names such as Blue Cross Blue Shield, Anthem health insurance and even security tech specialist Kasperky Lab have suffered from security issues, and thousands of subscribers to adultery site Ashley Madison – along with many people who weren’t users of the site at all - squirmed as their email addresses were revealed to the world. Just last week, WH Smith admitted that it had inadvertently shared the contact details of customers using its online forms.
The direct financial consequences have been well publicised. In 2014, US giant Home Depot suffered the theft of the details of 56 million customer credit and debit cards, at a cost of well over $62 million. In the same year, fellow retailer Target estimated that the financial loss from its own data breach would total over $148m. Sony has finally settled with 50,000 employees in compensation for the exposure of their personal details in last year’s cyber attack. The amount is undisclosed but public opinion has been unsympathetic.
The majority of the immediate costs following a breach come from claims made by payment card networks alleging fraudulent transactions, but this is not the full picture. The Ponemon Institute, in its 2014 Cost of Data Breach Study, details a host of other factors that contribute to the cost, including hefty fines from regulators and technical costs as companies struggle to make fixes to computer systems. The report concludes that the average cost to a company in the current climate is $3.5 million US dollars; 15 per cent more than in the previous year.
By far the most damaging factor in the aftermath of a breach, however, is to the reputation of a brand, along with the loss of customer trust and business that results from it. Semafone's own research showed that 86% of people (91% of women and 81% of men) would be unlikely to do business with an organisation that had suffered a security breach involving credit or debit card data. When such a disaster occurs, companies find themselves spending heavily on advertising and communications to restore a positive brand image, and in extreme cases, building an entirely new customer base from scratch. This problem has been shown to be particularly acute in industries where trust is at the heart of the business, such as healthcare and pharmaceuticals.
Organisations have always needed to balance the risk of an attack against the costs involved in preventing it and in recent years the price of effective prevention has frequently been judged too high. Compliance with Payment Card Industry Data Security Standard (PCI-DSS) regulations, for example, has often been by-passed. These regulations, drawn up by the card providers to protect customer data, require many technological checks and controls and can be expensive and labour-intensive to implement. At the same time, the consequence of a data breach has been perceived to be relatively mild, consisting largely of a fine and an element of compensation to the customers affected. When faced with the prospect of spending thousands to implement and maintain proper security for a contact centre, the risk of a breach can seem to be worth taking.
Compliance with PCI regulations is still not cheap. Four years ago the average annual spend for an organisation handling over 6 million card transactions a year was £150,000. Today, additional requirements such as the increased use of external auditors have been added to the check list, driving the cost even higher. While technological advances are helping organisations to avoid handling card data wherever possible, PCI compliance is still a serious matter.
But the balance has changed. The scale of fraud has reached new levels; Home Depot's attack was labelled “the biggest data breach in retailing history” by high-profile publications such as the Daily Mail, and is just one of several to hit the headlines during the past twelve months. And as card fraud becomes better organised, customers are becoming more nervous. It is no longer simply a question of worried individuals discussing the matter on social networks; stories like those of Target and Home Depot have been communicated far beyond national boundaries and it is apparent that an entire brand can be tarnished globally in a matter of days as a result of an attack.
Legislation, too, has become fiercer. The proposed new European Data Protection Regulations look likely to threaten large corporations with a fine equal to 5% of their global revenues if they can be shown to have been negligent with customer data. The new rules will also require that data breaches must be reported within 24 hours – so businesses will have no opportunity to conceal the facts.
In the light of all these factors, companies have no alternative but to do their utmost to protect both themselves and their customers from fraud. By comparison with the true cost of a data breach, PCI compliance can no longer be considered “too expensive”, but ultimately no amount of checks and access controls can guarantee the safety of customer data. For peace of mind, companies have two real options; keep spending on security to stay one step ahead of the bad guys or work with payment specialists to remove your sensitive card data from the contact centre altogether. The second of these options is becoming increasingly appealing.
Fraud attacks are unlikely to stop any time soon and media interest in them has increased hugely in the past 12 months. A “small” breach, affecting less than 100 people, such as that suffered by Irish bank Permanent TSB, might once have escaped notice, but now makes national news. With the new EU data protection regulations, any breaches will have to be revealed to the regulator within 72 hours so keeping quiet just isn’t an option. The spotlight is on, so we all need to get plans in place for how we’ll handle it if a breach affects our businesses, and more importantly, to make sure we’re doing everything we can to prevent one happening in the first place.