Over the last few years we have been unfortunate enough to be witness to numerous data breaches of unimaginable size and scale. So why have these organizations been able to recover so quickly and why aren’t consumers angrier about how their data is being handled?
Target, Facebook, Equifax, British Airways and Cambridge Analytica (to name a few) are all examples of companies failing to adequately protect consumer information – but there really is no end to the list of companies that fall short of the level of data security we would expect to see.
Let’s take Facebook as an example. Fresh off a data breach affecting nearly 50 million Facebook accounts, which could result in fines of up to $1.63 billion under the GDPR, Facebook was again in the news recently when hackers claimed to have stolen the private messages of 120 million users. Whilst the latest breach is yet to be properly confirmed by Facebook themselves, we have already seen 80,000 of these stolen records published, presumably with more on the way. All of this comes off the back of the recent fine that the ICO imposed upon Facebook for the now infamous Cambridge Analytica scandal.
But are the implications of this data breach going to affect Facebook in the long run? Probably not. Let’s take fines out of the equation because, unless we see the maximum GDPR penalties issued (which I won’t believe until I see it), no fine is going to do enough to cripple a business beyond repair.
History tells us that these massive data breaches do have an immediate impact on the stock price of that company. Share prices tend to fall 2.89% on average in the following few weeks of a data breach. However, the impact of data breaches significantly decreases over time – and not that much time at that. After just one-month, breached companies on average actually outperform their share prices prior to the breach, outperforming the NASDAQ by an average of 0.09%.
What this kind of recovery tell me is that people just aren’t that bothered by massive data breaches. Why do breaches so unbelievably far reaching do so little damage to affected organizations? Why aren’t people angrier about the complete disregard for the security of customer data we have seen in many large businesses?
Lack of Control
Quite understandably, consumers are disillusioned with their ability to control their data security. The amount of sensitive information consumers is being asked to disclose in order to use services (such as social media, content sharing platforms and more) is beyond ridiculous.
It’s become a bit of a running joke that it takes a PHD to change the privacy settings on your Facebook profile or to delete your account completely. This no doubt contributes towards the general feeling that once you have given away your information, there is very little you can do to control it.
Very few, for example, completely understand the Right to erasure under the GDPR and the process of going about requesting to have your personal data erased. Far too many consumers don’t even know that they have this right in the first place.
What Does it Matter?
One of the biggest problems is that consumers are massively disconnected with the consequences of data breaches. Most people just don’t care what happens to their data or don’t understand why data security matters.
For example, one day you might see an advert for Ray-Bans on Facebook from some dodgy looking discount website. You know the website isn’t official, but the deal is just too good to pass up. So, you enter your card details and go through with the purchase. The fake Ray-Bans arrive, and they are pretty much what you would expect for the price. No harm done, right?
The problem arises when, a few months later, you notice some suspicious payments from the same card. Most people simply would not connect the dots between willingly offering card information to a dodgy website and having your card information stolen months later. But that’s exactly what has happened.
This is the biggest failing of the cybersecurity industry to date. Consumers just don’t realise the consequences of having their data stolen and therefore are more likely to be casual about data security. This could be part of the reason why consumers don’t seem to be too angry about corporate data breaches.
What Can Be Done?
I’m not sure how many meaningful answers I can provide for you here.
All I know for sure is that something has to change in the cybersecurity industry – fast. The stakes could not be higher for both companies and consumers. There needs to be a shift in attitude towards data protection, an increase in data security awareness amongst consumers and a wider adoption of data security solutions.