Could a Data Breach Actually Help the Affected Brand?

Security professionals often use the fear of brand tarnishing as an argument for information security spending. The idea is that if a data breach occurs, customers will lose trust and leave; the valuation of the company will decrease due to the loss of revenue and as the result of investors losing faith in the company’s ability to retain customers. Such dynamics provide the company with an incentive to prevent the data breach from occurring, but is there a weakness in this argument?

The Problem with Brand Tarnishing to Justify Security

The argument of justifying security spending to mitigate the risk of brand tarnishing assumes that the company will suffer long-term financial harm after a breach. Whether this will actually happen remains to be seen. Authors of The New School of Information Security point out that “the share price of a company that disclosed a breach recovers within a few days. Contrary to expectations, few customers leave.” The authors acknowledge that “the immediate cost and distraction of dealing with a breach can justify spending on security,” but that is a different justification than the one that relies on brand tarnishing.

The idea that most customers will stay with a company that suffered a data breach seems counterintuitive, and I’d love to see some research on the topic. One way to better understand this issue is to look at how customers react to negative company news in general, without limiting ourselves to security incidents.

Can Negative Publicity Have a Positive Effect?

A New York Times article Good News, Bad News describes a study by Alan Sorensen and Scott Rasmussen that explored whether negative publicity can have a positive effect. The authors concluded that a crucial factor is the extent to which consumers are familiar with the brand or product.

For instance, books by popular authors that received negative reviews hurt sales, as expected. However, for books by relatively unknown authors, negative publicity actually increased sales over the expected projections. The negative publicity increased the public’s awareness, contributing more towards the book’s popularity than detracting from it.

Consider another example, which is a situation that’s still playing out. David Kravets’s article Cooks Source Copyright Infringement Becomes an Internet Meme describes how a cooking magazine allegedly published recipes from websites without authors’ permission. Bad publicity for Cooks Source. Will it hurt or help them in the long run? My bet is that if they survive the public’s outrage over the next week or so, they will come out ahead. That’s because the negative publicity is actually marketing the existence of this publication, which was relatively unknown until now.

Negative Publicity and Security

Let’s take another look at a company that suffers a data breach. My hypothesis is that if the breach is not related to the core reason why the company exists, the company won’t suffer from negative effects in the long term. In fact, if the company is relatively unknown, such a breach could actually benefit the company’s brand by marketing it to the general public. The danger might be that some organizations might not be able to survive the immediate crisis to benefit from increased visibility in the long turn.

Of course, these are just theories. I’m still learning about the role that trust, security and negative publicity plays in the perception of a brand. If you have any thoughts or pointers to share in the comments, I’ll appreciate hearing from you.

Update: Alas, Cooks Source did not survive the scandal and folded. In some cases, negative publicity might make the company better off; however, the company needs to be strong enough to survive the incident itself.

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more