Reputation Impact of a Data Breach: U.S. Study of Executives and Managers

Part 1. Introduction

We are pleased to present the findings of the Reputation Impact of a Data Breach study conducted by Ponemon Institute and sponsored by Experian® Data Breach Resolution. We believe this is the first study to examine how a negative event such as a data breach can affect the reputation and brand image of an organization. The organizations in our study all experienced a data breach that affected their reputation. The findings reveal the potential economic consequences of a diminished reputation, the most important factors contributing to brand and reputation, and what respondents believe are the best steps to take to restore the company’s brand and reputation.

The study surveyed 843 senior-level individuals with deep expertise and knowledge about their organization’s brand and reputation management objectives. Ninety-five percent of these respondents hold positions at the manager level or higher in their organization. More than 40 percent report directly to the chief executive officer or other C-level executives in the organization. Twenty-six percent report directly to the head of brand management or marketing and communications. Forty percent of respondents say that the CEO is most responsible in their organization for protecting the company’s reputation or brand image.

We asked individuals participating in our study to estimate the economic value of their organizations’ corporate brand or reputation. The responses ranged from a value of less than $1 million to more than $10 billion. Using an extrapolation method we determined the average value of reputation or brand image for the organizations participating in the study—which is estimated as $1.56 billion. Depending upon the type of information lost as a result of the breach, the average loss in the value of the brand ranged from $184 million to more than $332 million.

As a percentage of their organizations’ annual gross revenues, the economic value of reputation and brand ranged from less than 10 percent to greater than 5X (500 percent). Again, depending upon the type of breach, the value of brand and reputation could decline as much as 17 percent to over 31 percent.

We also learned that it is not just the decline in the value that can harm an organization. For organizations in this study, respondents estimated that in some cases it could take longer than a year to recover and restore reputation and brand image. The study focuses on the following three topics:

•  The value of an organization’s reputation and brand image

•  What type of data loss (customer, employee or intellectual property) has the greatest affect on reputation and brand

•  The data breach experience of organizations in our study

Summary of findings

In terms of reputation impact, not all data breaches are equal. Some breaches are more devastating than others to an organization’s reputation and brand image. Following are the most salient findings for three different information assets lost or stolen as a result of data breaches.

•  Records containing confidential customer information are lost or stolen. We asked respondents to evaluate the consequences to an organization that had a data breach involving the loss or theft of more than 100,000 confidential consumer records. We also told them that the breach was widely reported in the media. Eighty-one percent of respondents say this would affect the economic value of their organization’s reputation and brand image. According to respondents, the average diminished value of the brand as a direct result of the incident is 21 percent. To restore the organization’s reputation would take on average about one year (11.8 months).

•  Records containing confidential employee information are lost or stolen. We asked respondents to evaluate the consequences to an organization that had a data breach involving the loss or theft of more than 100,000 confidential employee records. Again, the breach was widely reported in the media. About half (51 percent) of respondents say this would affect the economic value of their organization’s reputation and brand image. According to respondents, the average diminished value of the brand as a direct result of the incident is 12 percent. To restore the organization’s reputation would take an average of about 8 months.

•  Records containing confidential business information are lost or stolen. We asked respondents to evaluate the consequences to an organization that had a data breach involving the loss or theft of trade secrets, new product designs, source code or strategic plans. The breach involved a small number of extremely sensitive files. Eighty percent of respondents say this would affect the economic value of their organization’s reputation and brand image. According to respondents, the average diminished value of the brand as a direct result of the incident is 18 percent. To restore the organization’s reputation would take on average about 8 months.

Part 2. Detailed Findings

Reputation is one of an organization’s most important and valuable assets. As shown in Bar Chart 1, 74 percent of respondents say their organizations’ reputation is key and a similar percentage (73 percent) say that reputation and brand image are inextricably linked.

While reputation and brand image are perceived as very valuable, less than half of respondents (49 percent) say these are resilient assets and can withstand negative events, including a data breach. To keep reputation and brand as resilient as possible, the factors that are believed to make the most difference are good business practices, senior leadership and market leadership.

Calculating the value of reputation and brand reveals how valuable these assets are to an organization. The senior-level respondents in our study provided an estimate of the economic value of their organizations’ corporate brand or reputation. According to Bar Chart 2, the responses ranged from a value of less than $1 million to greater than $10 billion. We determined the extrapolated asset value of reputation and brand image for the respondent organizations participating in this study to be approximately $1.56 billion.

Bar Chart 3 shows that as a percentage of their organizations’ annual gross revenues, the economic value of reputation and brand ranged from less than 10 percent to more than 5X (500 percent). The extrapolated percentage asset value is approximately 152 percent of annual gross revenues.

Our survey utilized three scenarios about data loss or theft to estimate the economic impact of a breach event on reputation or brand image. These scenarios are defined as follows:

Scenario 1. Your organization experiences a data breach involving the loss or theft of confidential customer information. Assume that the data breach involved more than 100,000 records. Also assume that the data breach was reported in major media outlets.

Scenario 2. Your organization experiences a data breach involving the loss or theft of confidential employee information. Assume that the data breach involved more than 100,000 records. Also assume that the data breach was reported in major media outlets.

Scenario 3. Your organization experiences a data breach involving the theft of confidential business information such as trade secrets, new product designs, source code or strategic plans. Assume that the data theft involved a small number of extremely sensitive files.

According to Bar Chart 4, the majority of respondents see each one of the above scenarios as a reputation-diminishing events. Eighty-one percent of respondents say a data breach involving the loss of customer records would affect their company’s reputation or brand image. Similarly, 80 percent of respondents say the loss of a small number of high value files (a.k.a. intellectual property) would lead to reputation loss. In contrast, only 51 percent of respondents see the loss or theft of employee records as causing reputation or brand diminishment.

Bar Chart 5 provides the percentage economic impact to reputation as a result of three different data breach incidents. Depending upon the type of sensitive or confidential information lost as a result of the breach, the extrapolated economic loss in the value of reputation for the present sample ranged from $184 million to more than $332 million (see Table 1).

Bar Chart 6 provides estimates of the time it takes to restore reputation or brand image following a data breach incident involving the loss of customer information, employee records or intellectual property. Clearly, data breaches involving the loss or theft of customer information (11.8 months) take longer to recover from than incidents involving the loss of employee records (8.1 months) and intellectual property assets (7.9 months).

Bar Chart 7 summarizes the steps that respondents believe their organizations should take to minimize brand or reputation damage after an incident. As can be seen, conducting a thorough investigation with forensics and close collaboration with law enforcement are the two most important steps. According to a majority of respondents, other important steps include being responsive to the incident and taking steps to minimize harms to the data breach victim.

Data breaches have occurred in most organizations represented in this study and have had at least a moderate or a significant impact on reputation and brand image. According to Bar Chart 8, 82 percent of respondents say their organizations had a data breach involving sensitive or confidential customer information. Seventy-five percent say their organizations had a data breach involving the loss or theft of intellectual property. Forty-six percent say their organizations experienced the loss or theft of employee records.

Bar Chart 9 shows the frequency of breach incidents experienced by respondents’ organizations sometime during the past two years. On average, respondent organizations experienced 2.9 breaches involving business confidential information (a.k.a. IP). With respect to customer information, organizations experienced an average of 2.7 data breaches. Finally, respondents say their organizations experienced an average of 1.5 breach incidents involving the loss or theft of employee records.

Bar Chart 10 shows that 76 percent of respondents say customer data breaches had a significant or moderate impact on reputation. Seventy-five percent say intellectual property losses had a significant or moderate impact on reputation. In contrast, only 23 percent say the loss or theft of employee information had a significant or moderate impact on reputation.

Bar Chart 11 shows that before having a data breach, less than half of respondents say their organizations had an incident response plan for customer data (44 percent) or employee data (33 percent). However, after a breach incident, the overwhelming majority of respondents say their organizations put an incident response plan in place.

According to Bar Chart 12, the five most important factors contributing to an organization’s brand and reputation value are: financial health and stability (93 percent), product or service quality (91 percent), the company’s leadership (85 percent), Internet and social media communications (85 percent) and the company’s history or legacy (79 percent). As noted, 65 percent of respondents rate privacy and data protection practices as a most important factor contributing to their organization’s brand and reputation.

Bar Chart 13 corroborates the above analysis by showing that 92 percent of respondents believe privacy and data protection is important in protecting the organization’s reputation and brand value.

Our final analysis shown in Bar Chart 14 examines who is most responsible for protecting or preserving the organization’s reputation and brand value. Not too surprisingly, the CEO is in first place according to 40 percent of respondents. Another 18 percent of respondents say no one person or function owns responsibility for the protection of their organization’s reputation or brand value. Thirteen percent of respondents say the brand management function is most responsible for protecting the organization’s reputation.

Part 3. Methods

A random sampling frame of 24,556 adult-aged individuals who reside within the United States was used to recruit and select participants to this survey. Our randomly selected sampling frame was built from proprietary lists of highly experienced executives and managers with bona fide credentials or background in reputation management. As shown in Table 1, 918 respondents completed the survey. Of the returned instruments, 75 surveys failed reliability checks. This resulted in a final sample of 843 individuals (or a 3.4 percent response rate).

Pie Chart 1 reports the respondent’s organizational level within participating organizations. By design, 98 percent of respondents are at or above the supervisory levels. On average, respondents had nearly 13 years of relevant work-related experience.

Table 3 shows that the most frequently cited reporting channels among respondents are the CEO/executive committee (19 percent), head of marketing and communications (17 percent) and business unit leader or general manager (14 percent).

Table 4 reports the worldwide head count of participating organizations. It reports that 54 percent of respondents are located in organizations with more than 5,000 employees.

Table 5 reports the respondent organization’s global footprint. As can be seen, a large number of participating organizations are multinational companies that operate outside the United States.

Pie Chart 2 reports the industry distribution of respondents’ organizations. As shown, financial services (including retail banking, insurance, brokerage and payments), public sector (federal, state and local), retail, and health and pharmaceuticals are the four largest industry segments.

Part 5. Concluding thoughts and limitations

We believe this is the first study to show the serious impact a data breach can have on the economic value of an organization’s reputation and brand image. Considered by respondents to be one of the most valuable assets an organization can have, reputation and brand image is not the most resilient. This is evidenced by the length of time it can take to restore a company’s good name. In the case of a data breach involving confidential customer information it can take more than a year.

The findings of this study further demonstrate how devastating a data breach can be for an organization and how important it is to reduce the risk of such an incident. As is revealed in this study, respondents agree that the steps they are most likely to take following a breach are the same measures they believe can preserve and restore reputation and brand image. These steps involve investigating the breach to determine what happened and the extent of the harms, working with law enforcement and making sure victims of the breach are protected from identity theft.

Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

•  Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals with executive or management credentials located in the United States, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs or perceptions about data protection activities from those who completed the instrument.

•  Sampling-frame bias: The accuracy is based on contact information and the degree to which the sample is representative of individuals with responsibility for reputation management issues. We also acknowledge that the results may be biased by external events. We also acknowledge bias caused by compensating respondents to complete this research within a holdout period. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings.

•  Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that certain respondents did not provide accurate responses.

Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured over a three-week period ending in October 2011.

Part 2. Valuation Questions

Part 3. Scenarios

Part 4. Actual Experience

Part 5. Other Questions

Part 6. Organizational Characteristics