Never mind all those formula Hollywood films about oddly sympathetic adolescents hacking into major government or financial computer systems. In fact, real cybercrime has overtaken terrorism as the central threat to U.S. security, according to FBI director Robert Mueller. The perpetrators may be ideological adversaries based in Iran. They may be gangsters prowling the canyons of Brighton Beach, Brooklyn.
The effects were dramatic last year. 2011 saw the largest cybercrime case in history when six Estonians were accused of infecting four million computers in 100 countries, allegedly intending to pocket vast click-generated ad dollars.
The Online Trust Alliance (OTA) has just released a report that dubs 2011 “The Year of the Breach.” At least 558 data breach incidents cost U.S. businesses more than $6.5 billion last year. Analysis of public breaches found the average per business cost was $7.2 million, or $318 per record compromised, representing an increase of $100-plus per record cost compared to 2009.
Over 50% of data breaches were a result of server issues, almost all of which the OTA says could have been avoided if its own recommendations had been followed. Those recommendations are annually published by the b in the Data Protection & Breach Readiness Guide, which outlines best practices in data security, privacy, and data collection.
The impact of many such data loss crises is exacerbated by apparent corporate mismanagement. Last April, for example, it took Sony five days to fully own up to a now historic data breach that compromised PlayStation Network and Qriocity user information and passwords. The electronics company was excoriatedfor not disclosing the bad news more quickly. Rebukes and dismay reverberated from social media to Congress.
Alas, 2011 seems less an anomaly than a harbinger of what’s ahead. For the immediately foreseeable future, each successive year is likely to gain rank asthe year of massive data breaches, including unintended system breakdowns as well as criminal conspiracies. Yes, more than 125 million people were affected by data losses of one sort or another in 2011 but that number isn’t actually all that prepossessing inasmuch as it will only likely get worse in 2012 – especially in light of the fact that, already in 2012, the alleged data breach of Amazon-owned online store Zappos may affect 24 million users.
Zappos, which sells shoes and clothes online, was a most trusted e-commerce brand. In the aftermath of the breach, the company decided to simply not accept phone calls from customers for an entire week, a brand-threatening decision whatever eventually happens.
Reflecting on Sony and Zappos as bellwether data loss crises, it seems especially unsettling that, well before the spring of 2011, much better data breach management practices had already been powerfully codified by experts and effectively implemented by corporate victims. Confronting their crises, those victims resolved to go beyond what was required of them to satisfy regulators and reassure public stakeholders.
A case in point was Heartland Payment Systems. In that 2008 crisis, over 130 million credit card numbers were believed to have been compromised. Heartland directly phoned 175,000 customers, coordinated with government officials to facilitate full public disclosure at the earliest possible moment, and introduced new encryption technology to protect against similar breaches in the future.
The point is, Heartland defined the data breach crisis management standard three years ago. There’s a cautionary lesson here: Don’t assume that even the world’s biggest and most famous corporations necessarily learn anything from the relevant experiences of other companies. Despite all that’s happened in recent years – and the compelling public databases that reveal the breadth and depth of the problem – many experts and counselors see persistent and troubling reluctance on the part of companies big and small to confront this reality.
“A lack of candor is the biggest failing,” says Stewart Baker, a partner at Steptoe & Johnson in Washington, DC and the first Assistant Secretary for Policy at the Department of Homeland Security. “Companies don’t like to talk about breaches, or admit what they don’t know.”
In this context, two strategic imperatives suggest themselves.
First, cultural self-transformation in a global environment. Data breach crises require companies to provide specific practical solutions that protect consumers, and to assure optimized communications of those solutions.
Data breaches offer a particularly pointed example of how some companies must transform themselves, readjusting their most basic cultural proclivities to satisfy the informational needs of far-flung stakeholders in a global marketplace.
Second, mastering change in a world where change is incessant. As consumer patience evaporates, the public sector is upping the ante – and even changing the rules – on a periodical basis. Right now companies must navigate through a myriad of existing state laws even as the European Union steps up its data breach disclosure enforcement initiatives.
To be sure, national data breach legislation is also on the way. Senate Judiciary Committee Chairman Patrick Leahy wants a bill stipulating how companies must inform consumers that their data has been breached. The best strategy for companies is to embrace Leahy’s concept, in part or whole, before this law or a similar version is passed. Don’t quibble with the overall concept driving this legislation. Welcome it.
Such a strategy spells public commitment. It spells corporate resoluteness. It means you’re part of the solution, not the problem. It ensures that people won’t be asking you what they’ve asked of Sony, and will likely ask of Zappos…
Mr. Sony, why did you wait so long? Mr. Zappos, why won’t you talk to me?
Richard S. Levick, Esq., is the president and chief executive officer of Levick Strategic Communications, a crisis and public affairs communications firm. Mr. Levick is on the prestigious list of “The 100 Most Influential People in the Boardroom,” He is the co-author of The Communicators: Leadership in the Age of Crisis and Stop the Presses: The Crisis & Litigation PR Desk Reference, and writes for Bulletproofblog. Reach him at firstname.lastname@example.org.
This article is originally written by Richard S. Levick and appeared at Forbes