Research Highlights

Data Breaches are the WMDs of Corporate Reputation

By Vasant Dhar, Professor and Head, Information Systems Group, Daniel P. Paduano Faculty Fellow & Director, Center for Digital Economy Research and Arun Sundararajan, Associate Professor of Information, Operations and Management Sciences, NEC Faculty Fellow & Doctoral Coordinator, IOMS-Information Systems
Hackers steal more than data when they breach corporate security walls: the hit to a company’s reputation can be more lethal than the immediate impact of the theft, according to NYU Stern professors Vasant Dhar and Arun Sundararajan.

The loss of consumer information can be devastating, whether it involves credit card, social security, and other essential information or simply customers’ names and addresses, as in the huge Epsilon breach disclosed in early 2011. The ultimate degree of damage often won’t be known for months or years.

But a company’s good name is immediately tarnished. In today’s wired world of business, data risk is reputational risk.

Dhar and Sundararajan say the buck stops with CEOs. In their article, [link]“Comments on ‘Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” written with NYU Stern Research Scientist Jessy Hsieh in response to the FTC’s request for public comment, they write that it’s time for companies to establish data governance policies. CEOs need to be proactive about setting boundaries around the data their consumers entrust them with.

The foundation of sensible data governance, according to the professors’ research, is based on how much non-essential consumer data companies collect, how long they keep it, how they use it, and with whom they share it. The intent with which consumers share their data is another parameter companies must heed.

Smart data governance involves deciding on data use based on a nuanced assessment of risk and not just return, according to the professors.

“Establishing data governance policies is a first step towards trying to prevent your data assets from turning into liabilities, or worse yet, being used as WMDs against your company’s hard-earned consumer goodwill,” Dhar and Sundararajan say.