How to respond to a reputation in crisis?

What is the likely business impact of a security breach? And how can businesses respond when the worst happens and a security blunder is splashed over the front pages? Two security experts presented their views on these questions at a recent seminar for risk managers.

The frequency of security incidents these days is probably a reflection of organisation’s dependence on digital records and computer systems. These environments regularly prove to be less safe than we’d like to think they are.

When data is consigned to a digital system organisations are quick to blame technical problems when things go wrong. Nevertheless, it’s usually humans who are the ones at fault and a high proportion of incidents arise from the action of contractors—who are perhaps not as well tuned in with the business.

Quantifying the cost of a data security incident is hard, partly that’s because organisations don’t record security incidents in any detail, preferring to keep things quiet if they can.

Currently, there are no legal obligations to notify the public of security breaches in the UK. The Information Commission is pushing for notification laws but at the moment it’s restricted to deliberately embarrassing businesses into taking information security seriously.

In the US, however, many organisations are legally bound by reporting requirements if they lose personal information.

Last year a US study revealed that the cost of lost personal records equated to around £98 per record. The average cost per reporting company was equal to £3.2m and the cost of lost business averaged £2m.

But everyone knows the business impact goes well beyond purely a monetary quantification.

“Quantifying the cost of a data security incident is hard, partly that’s because organisations don’t record security incidents in any detail, preferring to keep things quiet if they can.

‘Business impact can come in many forms,’ said Neil Hare-Brown, chief executive of QCC information security, addressing risk managers as a Willis seminar on reputation.

A missing laptop could mean the loss of confidential business information that could fall into the hands of competitors, warned Hare-Brown.

He also said the integrity of business practices can come into question when the media latches onto a security incident, as evidenced by the recent SocGen fraud scandal. And the effect on corporate reputation, when security incidents are replayed in the media, is nigh on impossible to measure.

‘Our worst lapses are preserved on the web for all time,’ said Quentin Archer, head of Lovells’ technology, media and telecommunications practice area, addressing the same crowd.

Making a legal claim for loss of reputation is no easy task, pointed out Archer. Although the law allows for a claim for financial loss that was foreseeable—proving causation is difficult. ‘In practice the damage is unlikely to be recovered,’ he said.

Archer suggested that organisations take precautionary measures including restricting access to confidential information and keeping a record of who is downloading what.

‘Technology no longer rests in the IT department alone, it’s now a corporate responsibility,’ said Hare-Brown.

It’s a point that businesses may want to consider seriously. Once trust has been lost it’s much harder to get back again.