Talk Talk’s reputation has been seriously compromised in the aftermath of its cyber-attack and the company is taking a £30 million hit to put things right, but the list of big brands in the news over data breaches doesn’t end there.
The media spotlight has fallen on M&S, British Gas, Vodafone and Morrisons. Furthermore it’s a global issue, brands seemingly safe in one market threatened in another. Experian in the US is a recent example, victim of another serious data breach. The public sector is not immune, with the Crown Prosecution Service served with a £200,000 ICO fine for a sensitive data breach.
Even a relatively modest data protection problem can cause reputational damage: misuse of data increasingly has serious consequences for a company’s image. Entire business sectors can be damaged by poor data management too, for example charities facing allegations concerning fundraising methods. Your competitor’s sins can be visited on you.
Whether its cyber-attack, technical glitch, lost laptop, disgruntled employees or a mismanaged marketing campaign, it’s clear that data has the potential to seriously damage customer trust and public perception. At the heart of this is reputation, not an easy metric to measure, but crucial to business success: trust is hard won but easily lost.
Time will tell whether recent cases will irreparably damage brands or simply lead to short term disruption. But in an age of social media, bad news travels lightning-fast. It demands rapid, transparent and effective management to mitigate impact.
There can be no doubt this problem isn’t going away – there will be more cases, more media attention and increased public awareness, putting data controllers under pressure to protect the data they hold and prevent it causing the sort of business disaster that permanently impacts market share.
Talk Talk and M&S have faced widespread criticism for their crisis and reputation management strategies. Other data controllers are being advised to ensure they implement robust data security contingencies, train all staff in data breach awareness, develop data breach plans and perhaps most crucially have at hand a resilient and effective communication strategy for when ‘data goes wrong’.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.