Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
Article
_

Data breaches and brand damage: effects on companies and customers

Article

We’ve covered the importance of preventing human error and how data breaches can be damaging in terms of privacy. Now it’s time to consider the significance of protecting data in terms of brand damage and financial loss.

According to data from ADAPT’s CISO Edge, 90% of Australian CISO’s include brand damage as their most important driver for implementing security initiatives, with 73% including financial loss as the most important factor. This makes brand damage and financial loss two of the most significant reasons to implement proper cybersecurity measures for your organisation.

Financial Loss

Once a data breach has happened, financial consequences are a logical concern. Adam Bird, KJR’s NSW General Manager, explained the severity levels data breaches can mean for organisations.  “When you’re looking at different types of organisations, some will definitely face higher financial impacts than others, depending on the data stolen and the organisation’s response to it.”

Data breaches affect organisations and customers financially in a number of ways – let’s explore some of the most significant.

A hefty fine

Under Privacy Act regulations, companies exposed to a data breaches can be reprimanded with a fine of up to $10 million from the Office of the Australian Information Commissioner (OAIC), depending on the level of negligence associated with the breach. The Notifiable Data Breach Scheme was introduced in 2018 so organisations would stay aware of the implications involved in data privacy and take the right measures to prevent breaches. Read KJR’s Survival Guide to Notifiable Data Breaches Scheme here.

Stock prices

It’s common for organisations’ stock prices to decline following a data breach, potentially irreparably. US company Equifax faced a significant data breach in 2017 with over 145 million customers’ data being impacted. Their stock prices reflected the severity of this breach, dropping from $143 to $116 in September of that year. Similarly, Facebook’s shares fell by nearly 40% throughout 2018 following the Cambridge Analytica scandal, accompanied by a steep decline in trust from its users. Of course, this isn’t always permanent and depends more on the ‘stability’ of the company to determine whether they can bounce back. Equifax, a prime example, has restored its stock to around $140 as of September 2019, meaning its initial damage was salvageable within an established structure and organisational stability as a major consumer credit reporting agency in the US.

Identity Theft

Looking towards the impact of data, LinkedIn announced a data breach in 2012 – which included the emails and passwords of over 115 million users. While LinkedIn was able to inform users and urge them to change their passwords as they learned details about the hack, the real financial significance of this hack was the impact on its users. “When personal information is breached, it will very likely lead to data theft of customers, users and employees”, Adam explained.

While this doesn’t directly affect an organisation’s financials, it impairs the financial wellbeing of the organisation’s stakeholders. From the perspective of a consumer, if their LinkedIn account was hacked and accessed, that could allow unwanted entry to their resume, email address, work history, phone number – all things that could lead to identity theft or abuse of customer information.

Indirect Damages

When you think of data breaches, you probably think of identity theft and the immediate financial losses that come with it – but there are other, more indirect ways organisations can suffer damage. For example, hackers that break through a company’s walls may implement hidden ‘back doors’ in the company’s system, allowing them to strike again in the future. With this ‘back door’ in place, hackers are more able to attack in the future and access data as they desire – including updated financial and proprietary information. This simply reinforces the importance of having quality security measures in place.

Reputational Loss

Financial losses aren’t the only thing causing organisations grief from data breaches. Reputational impairment is an equal if not more important consequence for companies to prepare for.

Customers want to be able to trust organisations with their data – not worry about their information being safe. Looking back to Yahoo’s data breach in 2016, the brand took two years to discover it and alert the half-a-billion affected users. This was two years too late, however, and reputational damage to the already declining brand was locked in place. Yahoo now has a reputational Brand Index of 15.5, as opposed to Google at 40.4.

Companies can face reputational damages and consequences following data breaches in an endless amount of ways – here’s a glimpse of some of the biggest ones.

The witch hunt approach

According to Adam, a lot of organisations opt to take a “witch hunt” approach, in which the lower end of large-scale organisations don’t take immediate preparatory measures due to the high investment involved. Instead, they wait and see how the public will react to other organisations’ data breaches and observe how their reputation suffers before taking measures.

“A risky approach”, if you ask Adam. It puts companies in the firing line considering their lack of protection of customer data – and highlights their failure to care about it.

Loss of trust?

During the 2000s when cyber risks were just starting to be established, organisations would worry about losing the trust of its customers and having them leave after a data breach. Looking forward, as 2020 approaches, things have become more complex as the technological landscape has evolved. According to Adam, “most customers know how data breaches can affect them and take the right measures to protect their accounts once informed about it”.

The real issue revolves around aspects like what data was breached, how long it took for the organisation to respond, how they reported it, and how long it took to announce it to customers. Adam explains “ignorance is not a defensible excuse anymore”, and organisations are expected to be aware of data security risks to be responsible corporate citizens. “If you haven’t been a good corporate citizen, it can be very difficult to bounce back from a data breach”.

Marketing mayhem

Up to 70% of consumers would be more likely to abandon a brand after it experiences a data breach, according to a global study by Gemalto. This can stem from multiple reasons, from feeling like their data is unsafe, or even due to the organisations’ public response to the breach and the way they inform customers. Organisations can report data breaches – however, this doesn’t always translate positively with customers in cases of data breach responses. For instance, when design platform Canva was hacked, the response email sent to notify users buried the unfortunate information under a more joyful introductory paragraph. As a result, customers criticised Canva on social media regarding their marketing strategy and lack of transparency, somewhat decreasing the trust of their userbase.

Competitors pouncing

Speaking of customers leaving, when an organisation gets hit with a data breach, opportunities open for competing brands. Adam explains this typically happens when “competitors start customer acquisition campaigns, depending on the industry, to acquire affected customers”. Competitors can take advantage of the breach through campaigns outlining their security practices to potential customers. This highly relevant and contextual campaigning can lead to an immediate influence on customers who might feel more compelled to leave a brand for the ‘safer’ alternative.

A swift recovery

Although recovering from a data breach is difficult, it’s certainly possible. To ensure correct measures are taken, the OAIC has suggested four key procedures:

  1. Contain the breach.
  2. Assess the risks associated with the breach.
  3. Consider breach notification.
  4. Review the incident and take action to prevent future breaches.

All companies should understand this, especially if cybersecurity measures haven’t been properly implemented yet. These can be viewed in more detail on the OAIC website.

Security incidents are inevitable, but how your organisation prepares and responds to them can determine your company’s safety. At KJR we recognise how essential cybersecurity is and help organisations implement the correct measures to address cyber risks.

If this article has prompted the need for a cybersecurity review or cybersecurity awareness training within your organisation, please contact KJR for a requirements discussion and quote.

102
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 

Defining specific terms

Our website address is https://kjr.com.au

    • “KJR” means K.J Ross and Associates and any of its associated entities.

    • “We” and “us” refer to KJR and “our” has a similar meaning.

    • “Privacy information” includes personal information and sensitive information.

    • “APPs” refer to the Australian Privacy Principles incorporated in the Privacy Act 1988 (Cth).

1. Purpose of this policy

    • KJR is subject to the Privacy Act 1988 (Cth) which includes the amendments made by the Privacy Amendment Act 2000 (Cth) and the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), governing the collection, use, handling and disclosure of personal information. This Privacy Policy is written in accordance with, and conforms to, the APPs.

    • The KJR Privacy Policy explains in general terms how our organisation protects the privacy of information in compliance with Australian privacy law.  Our Privacy Policy lays down the principles by which we collect, store, use and disclose any personal information you provide to us or we collect from other sources.  Our Privacy Policy also informs people how they can access their privacy information, correct privacy information held by us and lodge complaints.

    • Our Privacy Policy does not apply to acts and practices of a KJR entity which relate directly to the employee records of that KJR entity’s current and former employees.

2. How KJR collects your privacy information

We solicit and collect personal information where reasonably necessary for the proper function of our Website.

In all cases KJR collects privacy information by lawful and fair means.  In most circumstances, KJR collects your privacy information directly from you. As an example, we may collect privacy information about you when you:

    • correspond with us via telephone, facsimile, email or letter;

    • subscribe (electronically or otherwise) to any of our publications;

    • access and use our website on your device;

    • provide information solicited by us via a form, registration process or payment;

contact us through the website or social media channels; and contact us in person.  Typically, the privacy information we collect about you includes your name, mailing address, telephone number and e-mail address.

Types of personal information we collect may include, without limitation, your name, age, date of birth, email address, photographs, audio and video content, transactional data obtained via third-party payment services, geographical information obtained from your device transmissions, and other user-generated content uploaded to and/or stored on our servers. We may also collect non-personal statistical information, such as analytics and cookies data, IP addresses and the specifications and settings of your devices (such as your preferred language) used to access the website.

Our general policy is to collect privacy information from you directly and not from third parties, but we may do so if a circumstance arises in which it is unreasonable or impracticable to collect information from you directly.

Where such unsolicited information falls outside this reasonable necessity, we endeavour to destroy and/or de-identify the information as soon as practicable.

3. Anonymity and Pseudonymity

While you are permitted to use our website anonymously or pseudonymously, you may only do so insofar as it is practical for the proper function of the website.

4. Notifying you about our collection of your information

When we collect your privacy information from you directly or from a third person we must, if reasonably necessary in the circumstance, ensure you are aware of particular matters associated with our collection of your privacy information.

Our subscription page when you subscribe to our newsletters and alerts contains a “privacy information” clause referring to our Privacy Policy for the purpose of notifying you of all relevant matters about collecting your privacy information.

5. The purpose for which we may collect, hold, use and disclose

KJR collects personal information only where reasonably necessary for one or more of the functions and activities connected to the operations of our business.  We collect personal information for the primary purposes of:

    • providing clients with a service;

    • considering making offers of employment or for contracted employment purposes;

    • receiving services provided by you or your employer; and

    • advising you of industry developments and events and in the conduct of marketing activities.

6. How KJR uses or discloses your information

Generally, KJR uses and discloses privacy information only for the primary purpose for which we collect it. Additionally, we may also use privacy information for a secondary purpose related to a primary purpose for which you would reasonably expect us to use the information, unless an exception applies.

Any personal Information collected of the type described above may be used or disclosed by us for the following primary purposes:

    • in the course of the regular operation of the website;

    • to respond to feedback and complaints;

    • for the development of new services or products;

    • to better understand user trends and usage patterns;

    • to improve your overall user experience of our website;

    • for the enforcement of our Terms and Conditions; and

    • for direct marketing purposes (see below for more information).

In addition to the abovementioned purposes, your Personal Information may be used or disclosed for any of the Permitted General Situations outlined in s. 16A of the Privacy Act 1988 (Cth), including but not limited to use or disclosure for evidentiary purposes in establishing or defending a legal or equitable claim, serious threats to public health or safety, or assistance in locating missing persons. We may be compelled by operation of law to disclose any information relating to you, including your identity and contact details.

From time-to-time, it may be necessary for us to share your personal information with third parties in order for you to fully utilise our website, including third parties outside Australia. We take reasonable precautionary measures to see that these entities will respect your privacy in line with the APPs or their international equivalent. An example of a precautionary measure is incorporating a confidentiality clause into a contractual agreement to legally protect your privacy information. We may process your personal information on a server outside the country in which you live.

We will not disclose privacy information collected by us to third parties for the purpose of allowing them to direct market any products and services to you.

7. Direct marketing

We may use your personal information to provide you with updates on our industry and information about our services, unless you request not to receive such communications from us.  You may also subscribe to our newsletters or industry alerts via our website or direct contact.  KJR makes clear that each subscriber is consenting and expects to receive such information from us.

All of our direct marketing communications contain a facility whereby you can opt out of receiving future communications.  You may also at any time separately request not to receive direct marketing communications from us. We will comply with all such requests as soon as reasonably possible. Unless you opt out or request not to receive direct marketing communications from us, by continuing to use the website you consent to receiving such marketing communications.

8. KJR’s use of cookies

When you visit our website – kjr.com.au, our server attaches a small data file called a “cookie” to your computer’s memory. Cookies are pieces of information that may be transferred to your computer’s memory when you visit a website for record keeping purposes.  Most web browsers are set by default to accept cookies.  If you do not wish to receive any cookies from us, you should set your web browser to refuse/ disable cookies.

At KJR, we use cookies to provide us with aggregate (anonymous) information on how people use our website, and to help us to know what they find interesting and useful on our website.  We do not link this information to your identity or to any other information provided by you. There is no information identifying you stored inside any cookies.

9. Collection of anonymous information via our website

As most website owners and operators do, KJR tracks usage patterns on our website on an anonymous aggregate basis.  Each time you visit our website – kjr.com.au, a web server makes a record of your visit.

Specifically, it records your:

    • Internet Service Provider;

    • date and time of your visit;

    • pages accessed and the documents downloaded;

    • search items entered; and

    • referring URLs (universal locators).

10. External websites

This privacy policy applies solely to information collected with regard to our website. We take no responsibility for the collection of information and/or privacy practices of any third party websites or websites that may be accessible via a hyperlink or third party advertisement on the website.

11. Information about other people that you provide to KJR

If you or your organisation is subject to privacy laws and you provide information to KJR about someone else (such as directors or employees of your organisation), you must ensure that you are entitled to disclose that information under the APPs, without KJR taking further steps to make sure your disclosure is compliant.

As an example, you may be covered by a permitted general situation – an exception to the general obligation to not disclose personal information for a secondary purpose.  You should familiarise yourself with these circumstances to know when you do not need consent to disclose, such as the exception that allows a disclosure that is reasonably necessary for the establishment of a legal claim.  In other cases, you must gain consent of the individual whose information is being disclosed.

12. Maintaining currency of your information

KJR commits to ensuring that all reasonable procedures are followed to ensure your privacy information is accurate, complete, and up to date whenever we collect or use it.  If we believe the information we hold is inaccurate, out-of-date, irrelevant, incomplete or misleading, we will take steps to correct the information.

We may take steps to destroy or permanently de-identify information when it is no longer needed for any purpose for which it may be used or disclosed. We may retain and use de-identified information or statistical data collected, including in the event that you cease to use the Website.

If you suspect that any of your privacy information held by KJR is inaccurate, out-of-date, irrelevant, incomplete or misleading, please contact us immediately and we will take all reasonable steps to correct any such information within a reasonable time, at no expense to you.  If we cannot resolve the issue in a reasonable time, we will either give you an explanation as to why or discuss alternative courses of action.

13. How KJR secures your privacy information

Your privacy information may be stored by us either in hard copy documents or as electronic data in our information technology systems.  KJR maintains a high level of physical security over our hard copy and electronic data stores and premises, such as locks, alarms and barrier systems.

We have developed specific policies governing information security in respect of local and remote systems access, including passwords and authentication devices for corporate and personal email, internet browsing, use of laptops and mobile and tablet devices. Access to USB, CD & DVD devices is controlled and audited.

14. Transfer in certain circumstances

If there is a sale, merger, consolidation, change in control, transfer of substantial assets, reorganisation or liquidation of KJR then, in our sole discretion, we may transfer, sell or assign personal information collected to one or more relevant third parties.

15. Gaining access to privacy information held by KJR

You are entitled at any time, upon request, to access your privacy information held by us.  We will respond within a reasonable time after the request is made and give access to the information in the manner requested by you, unless it is impracticable to do so.

Should access to any privacy information be refused, KJR will explain the reasons for refusal, and inform you of any exceptions under the Privacy Act relied upon as the basis for such a refusal.

16. Making a complaint

Should you wish to complain about a potential breach of this Privacy Policy or the APPs please contact our Privacy Officer.

The Privacy Officer will make good faith efforts to rectify the issue and respond within a reasonable period after the complaint is made.

17. Contacting us

Should you wish to make any query related to your privacy information held by KJR or our privacy policy, please contact our Operations Manager:

info@kjr.com.au

1300 854 063