Companies that suffer a data breach can expect to see their share price fall by five per cent and watch two to three per cent of customers take their business elsewhere.
Researchers at Ponemon looked at the share prices of 113 companies that had lost customer data, tracking their value from 30 days before their respective breaches were made public and 90 days afterwards.
The organisations saw an almost instant 5 per cent fall in their share price when the breach was made public. The stock took an average of 45 days to recover but there were big differences between companies seen as having a strong security stance and those with weak security.
Companies which showed a fast security response could expect their price to recover within seven days while a weak response left share prices still languishing 90 days after the data breach.
The number of customers which left the company as a result of the data breach ranged from less than 2 per cent to over 5 per cent. In financial terms that ranged from average annual revenue losses of between £2.08m and £3.07m.
As well as looking at share price, Ponemon researchers surveyed three groups of people – 313 IT and security staff, 292 chief marketing and comms officers and 405 consumers.
A terrifying 51 per cent of consumers said they had been told by a company or government agency that their data had been lost or stolen in the last two years.
A little more than three-quarters 76 per cent) of consumers believed organisations have a responsibility to control access to their data, but only 46 per cent of CMOs and 44 per cent of IT staff agreed.
Consumer trust was also misplaced in certain industries: 68 per cent of consumers said they trusted healthcare companies to safeguard their data but only 24 per cent have equal faith in credit card companies. However healthcare companies accounted for 34 per cent of all data breaches while banking, credit and financial organisations were involved in only 4.8 per cent of total breaches.
There were some interesting disparities in the survey results: while 40 per cent of IT staff said their organisation had seen a data breach involving the loss or theft of more than 1,000 customer records or other business information in the last two years, only 23 per cent of comms and marketing staff agreed. This indicated that either sampling was skewed or that IT staff are not always ‘fessing up to marketing when something went wrong.
There were also differences in perceptions of the impact of a breach on the organisation. Marketing and communications staff see falling customer trust and negative media coverage and damage to brand as the three most important results of a breach. But 51 per cent of IT staff say financial harm is most damaging, followed by pressure from increased scrutiny of IT work after a breach. Regulatory fines or lawsuits were mentioned by 40 per cent of IT staff but only 18 per cent of CMOs. An even more paranoid 63 per cent of IT staff said a breach could result in them losing their jobs, versus just five per cent of CMOs.
Ponemon used a sampling frame for each of the three groups and got responses from between three and five per cent once some were removed for failing reliability checks. The survey could include non-response bias – it is possible that all those who declined to take part are substantially different to those that did. ®