Could a Data Breach Actually Help the Affected Brand?

Security professionals often use the fear of brand tarnishing as an argument for information security spending. The idea is that if a data breach occurs, customers will lose trust and leave; the valuation of the company will decrease due to the loss of revenue and as the result of investors losing faith in the company’s ability to retain customers. Such dynamics provide the company with an incentive to prevent the data breach from occurring, but is there a weakness in this argument?

The Problem with Brand Tarnishing to Justify Security

The argument of justifying security spending to mitigate the risk of brand tarnishing assumes that the company will suffer long-term financial harm after a breach. Whether this will actually happen remains to be seen. Authors of The New School of Information Security point out that “the share price of a company that disclosed a breach recovers within a few days. Contrary to expectations, few customers leave.” The authors acknowledge that “the immediate cost and distraction of dealing with a breach can justify spending on security,” but that is a different justification than the one that relies on brand tarnishing.

The idea that most customers will stay with a company that suffered a data breach seems counterintuitive, and I’d love to see some research on the topic. One way to better understand this issue is to look at how customers react to negative company news in general, without limiting ourselves to security incidents.

Can Negative Publicity Have a Positive Effect?

A New York Times article Good News, Bad News describes a study by Alan Sorensen and Scott Rasmussen that explored whether negative publicity can have a positive effect. The authors concluded that a crucial factor is the extent to which consumers are familiar with the brand or product.

For instance, books by popular authors that received negative reviews hurt sales, as expected. However, for books by relatively unknown authors, negative publicity actually increased sales over the expected projections. The negative publicity increased the public’s awareness, contributing more towards the book’s popularity than detracting from it.

Consider another example, which is a situation that’s still playing out. David Kravets’s article Cooks Source Copyright Infringement Becomes an Internet Meme describes how a cooking magazine allegedly published recipes from websites without authors’ permission. Bad publicity for Cooks Source. Will it hurt or help them in the long run? My bet is that if they survive the public’s outrage over the next week or so, they will come out ahead. That’s because the negative publicity is actually marketing the existence of this publication, which was relatively unknown until now.

Negative Publicity and Security

Let’s take another look at a company that suffers a data breach. My hypothesis is that if the breach is not related to the core reason why the company exists, the company won’t suffer from negative effects in the long term. In fact, if the company is relatively unknown, such a breach could actually benefit the company’s brand by marketing it to the general public. The danger might be that some organizations might not be able to survive the immediate crisis to benefit from increased visibility in the long turn.

Of course, these are just theories. I’m still learning about the role that trust, security and negative publicity plays in the perception of a brand. If you have any thoughts or pointers to share in the comments, I’ll appreciate hearing from you.

Update: Alas, Cooks Source did not survive the scandal and folded. In some cases, negative publicity might make the company better off; however, the company needs to be strong enough to survive the incident itself.

Lenny Zeltser

Updated

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more