While a minimum $50m fine is not to be sneezed at, Digital Balance’s Richard Taylor says that could be just the beginning of your financial woes if your brand experiences a data breach.
In November, the Albanese government approved legislation to significantly increase penalties for repeated or serious privacy breaches.
The Privacy Legislation Amendment Bill increased the maximum penalty for serious or repeated breaches from $2.22 million to $50 million, or three times the value of any benefit obtained through the misuse of information; or 30 per cent of a company's adjusted turnover in the relevant period – whichever is the greater.
According to the government, the larger penalties send a clear message to companies that they must do better to protect the data they collect.
And that’s just Australian fines. Did you know that a foreign national interacting with your brand is often subject to the laws of their country? For example, a German on holiday in New York interacts with your Australian website and provides their name and home address. They, and their data, are still subject to GDPR, which earlier this year issued a fine to US company Meta for €1.2 billion ($1.9b AUD).
No matter the size of the fine, Matthew Hauk, COO of web security company Ensighten says this will likely turn out to be the second biggest cost for businesses that mishandle data.
The greater financial impact will be the hit to reputational damage and the associated costs incurred trying to fix it. This is backed by a Forbes report that found 46 per cent of organisations “experienced damage to their reputation and brand value” after a cybersecurity breach.
Speaking to Digital Balance customers recently, Hauck said: “Loyalty and brand trust are elements brands compete on and the way they manage data is fast becoming integral to the way consumers view them.
“Brands that produce negative press, because they didn’t protect customer data, will incur not only the cost of the regulatory fines and consequences from civil action but also the cost of repairing that reputational damage.”
According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was USD 4.45 million, a 15 per cent increase over three years.
Couple that with the finding that 65 per cent of customers lose trust in a company after a data breach and that 85 per cent of customers would stop engaging with that company altogether and you can see the impact this would have on the bottom line.
To mitigate this risk, Ensighten’s Hauck cautions against siloing data within organisations.
“If you have systems that contribute to go-to-market motions, the people who control those systems will inevitably be intertwined with your strategy as a marketer and your desire to continue to serve your customers in the way that you do today. So if you're pulling information from a CRM, it’s important there is evidence that data was sourced responsibly and in accordance with the law.
“If you're using information that is first party to your brand, that you've collected yourself, you're probably on pretty solid ground. But if you're using an integrated system or something that was subscribed to or a list that you purchased, there's probably a bit more diligence you want to undertake.”
Given the ACCC’s new focus on third-party data brokers, this is another reason to rethink your use of third-party data. Bear in mind also that 19 per cent of organisations included in the Forbes report suffered reputation and brand damage as a result of third-party security breaches.
Being proactive about data security will save your business money in the long run with the IBM Cost of a Data Breach Report estimating the average savings for organisations that use security AI and automation extensively is USD 1.76 million compared to organisations that don’t.
Looking after your data will also provide brand benefits in the long term. Hauck noted: “Brands that manage data well will build a reputation that enables them to collect more data because their customers are more willing to give it to them knowing it is in safe hands.
“Those brands will be able to act in strategic, targeted ways while brands that mishandle data will increasingly find themselves coming up short in the ability to personalise their offering.”
Clearly, attention to data protection is no longer optional for businesses. That is unless you’re willing to wear the financial impact of reputational damage leading to customer losses and reduced access to data which will ultimately hinder your brand’s long-term viability.
Richard Taylor is the Managing Director of Digital Balance.