Data loss... Who cares...

If you look at several high profile cyber attacks ove the past few years where several organizations have reportedly had lots of data stolen, beyond the shock and noise that takes place in the days immediately after the attack, who really cares? Some individuals lose their jobs, the stock price takes a temporary dive, the reputation takes a temporary dive, some people face identity theft, but in the longer run who cares? Is there real data on the longterm impact of data loss?

Views by - Dr. Sundeep Oberoi

Rate this article: 
Average: 5 (1 vote)
Article category: 


What we have actually seen is that whenever there is such high profile data breach, lot of money and investment goes into managing the impact and consequence so that the long term effects are minimized.

What specifically are the long term consequences? Is there evidence to suggest that stock price or any other demonstrable measure has been impacted? Where is the hard data? Many times the breach just causes lax people to be fired and the security systems to be decently upgraged which should have been done anyway. Where is the evidence that not doing so was significantly more expensive. Penetrate and patch is what software vendors have always practiced and with no penalty. The same seems to be true of organizations. Apart from perceptions do you have hard data? If so share it.

Heartland Payment Systems is one example where the company lost 50% of market value apart from legal fines. Also a study was done by Ponemon Institute(2012) on the aftermaths of Data Breach in which Organizations which faced data breach had to face some long term negative impacts like Loss of customer loyalty ,Decline in share price etc.

I am willing to believe that there is a temporary drop in the stock price. However it will be interesting to know how long-lasting this impact is. It would be interesting to know what the overall conclusions of the report were.
Take the case of Target. The stock dipped to 50.06 on 14th Feb 2014 post the attack. On 15th June 2015 it is trading at 80.29! Doesn't look like a long term negative impact to me :-)

Soon EU will come up with legislation amounting to fine upto 5% of global revenue. Subject Access rights have to be implemented. Punitive like smack probably is the only way forward if  nudge, hug, shove  human intervention techniques do not work. The proposal on table of EU DR  is 5% global revenue or 100m$  min if reasonable due care is not exercised to protect data by organizations.

Could we incentivise better protection? Without punitive measures noone really seems to care. Would incentivisation work better than punishment?

In my view, there should be incentivisation like carbon credits to the organizations having better protection which has  consistently demonstrated the due care in form on required compliance and immunity to cyber attacks.
In my knowledge, there are already some indrect incentivisation for the BFSI industry regulated by Basel accord. These corporates have to reserve the economical capital against the perceived operational risks, which includes data losses caused by security breach. This capital is reserved based on risk indicators derived from the past data loss incidents. If organizations have better security controls, it would have less data loss incidents and thus fewer amounts to be reserved. Indirectly it is reward of due care and better protection.  

Soon, the proposed update to the Data Protection Directive will take the form of a regulation, which means that all 28 EU countries will have to adopt it without changes. The regulations will apply to EU firms and those firms outside the EU if they process personal data of EU residents. The strength of the regulation will be proposed fines of up to 5% of global turnover, 24-hour breach reporting for some categories of data loss, and the inclusion of a “right to be forgotten”