MANAGING THE REPUTATION RISK OF A MAJOR

SECURITY INCIDENT
Every day, or so it seems, another major data security incident is uncovered, underscoring the
severe threat that sophisticated cyber criminals pose to critical financial and operational
systems.

How bad is it?

43 percent of surveyed U.S. businesses more than two in five experienced a data
breach in the past year.1
Globally, 2.2 million records were stolen each day, on average, in the 2014 first quarter; the 200 million-plus total is a 233 percent explosion from a year ago2
No economic sector is immune. In the 2014 first quarter, the top six targets were
financial, health care, technology, retail, government and education.3
A data breach, on average, cost the surveyed companies $3.5 million, up 15 percent
from the prior years survey. Thats $145, up from $135, for each lost or stolen record
with sensitive and confidential data.4
Median number of days from discovery to containment: 87.5
For businesses in particular, the real price tag of being compromised goes well beyond the
hard costs of investigating the issue and plugging the security holes. It comes down to how
much a breach harms an organizations reputation and, specifically, reflects how much respect
and trust customers and other stakeholders retain after a major security intrusion.
Reputation reflects how stakeholders feel about you today while trust inherently reflects how
they will act with and for you in the future.
Their loss can prove catastrophic, especially since consumers are already concerned with
companies security efforts. A study by Hytrust Inc.6 revealed that nearly three-in-four U.S.
consumers dont believe organizations care about keeping their private data secure. And the
2014 Edelman Trust Barometer found that 85 percent of consumers believe that protecting
customer data will have the greatest impact on driving engagement and integrity for an
organization.
Annual Ponemon Institute study of data breaches and their costs for IBM, July 2014, www.ponemon.org.
Safenet Breach Level Index Report, April 29, 2014,
http://blog.executivebiz.com/2014/04/safenet-global-data-breaches-up-200-in-q1-2014/#sthash.wBi6cSO1.dpuf
3
Ibid.
4
Ponemon Institute study.
5
2014 Trustwave Global Security Report,
http://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_Report.pdf?aliId=26452020
6
Consumers hold companies accountable for data loss, snap poll of 2,000 consumers, Sept. 26, 2014.
1

When trust is compromised, business stops, maintains Jeff Hudson, CEO of Venafi, a
cybersecurity company. As our world becomes more connected and more dependent on
cloud and mobile technologies, maintaining control over trust must be a top priority for all
CEOs, CIOs, CISOs and IT security managers.
Strong actions exist to mitigate effects of a data security incident. Effective communications
and engagement can significantly reduce the potential loss of reputation. Organizations can
manage communications, regulatory compliance and stakeholder engagement to achieve this.
Preparation is key and Edelman can help. The worlds leading public relations firm created a
dedicated Data Security and Privacy Group that brings together a global team with years of
experience helping companies handle a wide variety of data security concerns ranging from
DDoS attacks to lost devices to PII and PHI issues. Edelmans data security expertise has
been applied to help organizations including merchant processors, financial services
companies, medical device companies, non-profits, automakers and retailers.
An effective response requires companies and organizations to determine and prepare the
right approach. This entails careful planning to prepare for and manage any number of data
security issues, and Edelman offers a proprietary, formalized Data Security Audit tool to help
do just that. It was developed from insights gained while working with companies across a
variety of sectors that dealt with various data security incidents.
The audit tool evaluates key tenets of preparedness from coordination and planning to
testing and readiness. It also delivers insights and recommendations to improve how
companies reach key stakeholders quickly and effectively if a data security incident occurs.
With the Data Security Audit tool, companies can better prepare to communicate about data
security incidents at a moments notice.

In brief, Edelman professionals:

Review a companys or organizations existing communications documents and
conduct brief interviews with senior-level communications staff. The documents
include crisis communications plans and protocols; issue-escalation plans and
relevant internal issue-notification processes; pre-drafted crisis and/or data breach
statements; mock data breach testing materials and coverage monitoring reports.
Confer after the review with the corporate or crisis communications director and,
perhaps, others to discuss communications planning and preparedness.
Develop a detailed report card with an overall preparedness score. That overall score
will reflect communications planning, testing and readiness as well as communications
integration and will analyze strengths and weaknesses across these areas.
Take steps toward improving data breach communication preparedness and outline
actions that can immediately improve that level of preparedness. These actions
include building plans and table-top testing.

THE PRINCIPLE TENETS FOR COMBATING THE

COVERT CYBERCRIMINALS ARE BECOMING CLEAR:
PLAN. PREPARE. PREVENT.
To learn more about the Data Security Audit tool and Edelmans other Data Security & Privacy
offerings, please contact:
David Chamberlin
Global Lead, Data Security
and Privacy Group
David.Chamberlin@edelman.com

@EdelmanDSP

Leigh Nakanishi
Senior Data Security
& Privacy Strategist
Leigh.Nakanishi@edelman.com
www.edelman.com/expertise/data-security-privacy/