Reputation at Stake

A person has his or her word; a company has its reputation.

And it is a reputation — that all-encompassing, all-purpose “it” defined as much by action as by belief — that can be shattered by anything and everything from calculated criminality to an honest mistake.

Beyond actual cash out of hand, what might be the ultimate ramifications? Consider what comes after thousands upon thousands of gallons of oil spew into the Gulf of Mexico; a once-revered football program is catapulted into the annals of shame by direct harm and absent response; or a hacked insurer database potentially compromises the personally identifiable information of more than a million individuals.

The first two situations (it is hoped) would be few and far between, but the third could become more commonplace as insurers, brokers and all manner of insurance stakeholders use “technology the good” to build great stores of information that become targets of abuse, misuse or a lack of care.

“In a global economy, driven by electronic commerce, it is essential that all necessary steps are taken to ensure consumers are protected from an unintentional release or criminal theft of their personal data,” Dave Jones, California’s insurance commissioner, said following the hacking incident in the United States.

The insurer responded by offering each compromised customer a year of free credit monitoring and identity theft protection, which includes notification of any changes to credit information, as much as $1 million identity fraud expense coverage and access to their credit report.

Awareness about how a data breach can affect business — from hard costs to the intangibles of a solid reputation — is on the rise, but still a divide exists between what should be and what is being done.

“Although organizations have become more aware of potential threats, they do not seem to accurately perceive the repercussions associated with data breaches,” said Dmitry Shesterin, vice president of product management at Faronics, which sponsored a recent cyber security readiness survey involving 803 individuals south of the border.

Of the 60% of businesses in the Faronics survey that had experienced a data breach within the last year, respondents reported time and productivity losses, serious reputational damage, loss of customer loyalty, legal costs and, to a lesser extent, lawsuits and regulatory fines.

Despite the increased awareness, despite the potential hard costs, almost two-thirds of public companies, 64%, do not buy cyber insurance, notes the Chubb 2012 Public Company Risk Survey.

It is that disconnect between rising awareness and flagging response where reputational harm can emerge.

Insurance is critically important — not only to address what has happened, but as a reminder to review what could happen. Even with the best intentions and excellent processes in place, that “could” is always a possibility.

Addressing that demands identifying risk and determining what is acceptable as an organization. But it also demands casting a critical eye on behaviour.

It is essential to consider what, where and when something may happen, and have in place practices and processes throughout all segments of an organization.

Culture must be carefully cultivated but, once instilled, can help guard against preventable loss and the potential for harm to reputation as a result of misdeeds, deliberate or otherwise.

Expectations about what an organization views as acceptable must be clear — and consistent. It is also necessary that an organization carefully consider the views of other entities that it deals with. There is no guarantee these will be in step.

That “something” that may lay waste to a reputation, even a good one built over time, is best avoided. If not, however, it needs to be managed and response needs to be swift.

The school of hard knocks has plenty of lessons to teach. The hope is that careful review, assessment and preparation in advance will help to avoid the whole sorry mess in the first place.