After nearly two months of non-stop controversy and scandal over its improper use of Facebook data, Cambridge Analytica finally announced that it was ceasing operations, effective immediately. As part of winding down its operations in both the UK and the U.S., the company will file for bankruptcy. In doing so, Cambridge Analytica has become the new poster child to highlight the perils of data security breaches.
While still clinging to the notion that it had done nothing fundamentally different from what other companies have done, Cambridge Analytica conceded that its role in the Facebook scandal had made it a pariah in the business world. As the company announced in a statement, “The siege of media coverage has driven away virtually all of the company’s customers and suppliers.” On top of that, Facebook had already cut off Cambridge Analytica from its platform, meaning that the core ingredient of the disgraced company’s business model – Facebook user data – was no longer available for analysis and data mining.
Is there life after a data privacy scandal?
The big question, of course, is what happens next for the people involved with Cambridge Analytica. The company might be shutting down operations, but that doesn’t necessarily mean that the people behind the company – both the executives and investors – are walking away from similar types of business endeavors. There have been some published reports, in fact, that executives of Cambridge Analytica are forming a similar type of company, also to be based in Britain.
In one scenario that has been floated, a wealthy Hong Kong financier and Erik Prince (the controversial founder of Blackwater) are combining forces with members of the wealthy Mercer family to re-launch and re-brand the company as Emerdata. Other scenarios have suggested that Cambridge Analytica might be looking for ways to sell its most valuable assets – data and intellectual property – to the highest bidder before it closes its doors for good.
There are obviously going to be a number of legal, not just business, implications if Cambridge Analytica attempts to rise, Phoenix-like, from the ashes. One of those involves a pending case from the UK’s Information Commissioner’s Office related to Cambridge Analytica’s role in the 2016 Brexit referendum. Just as U.S. legislators allege that Cambridge Analytica helped to tip the scale in favor of U.S. President Donald Trump during the 2016 presidential election, UK legislators allege that Cambridge Analytica helped to tip the scale in favor of Brexit in 2016. Efforts to resolve this case might make it harder for Cambridge Analytica to close up shop and quietly walk away.
The financial cost of a data security breach
While Cambridge Analytica stands alone as an example of a company that has been toppled as the result of a Facebook-related data privacy breach, there are many examples of companies that have paid the price – literally – for a data security breach. In the latest 2017 “Cost of Data Breach Study” conducted by IBM and the Ponemon Institute, the average cost of a data breach involving sensitive data is now $3.62 million. If you break that down, it comes out to an average cost of $141 for every lost, stolen or breached record. While the cost of a data breach has decreased by nearly 10 percent on a year-over-basis, the size of the average data breach has increased by almost two percent.
In most cases, companies will attempt to keep news of a data breach as quiet as possible, knowing full well that once news of the data breach becomes public, it could lead to a massive run for the exits by investors. Case in point: Equifax, a credit data company that reported a breach of 145.5 million records in September 2017. Almost immediately, Wall Street investors began to abandon the company in droves. On September 7, the stock price of Equifax was $142.72. One week later, the stock price was $92.98, and many people openly speculated that the company could be headed for failure. The entire business model of the company, after all, was based on user data. Yet, seven months later, the stock price has stabilized in the $110 – $120 range. The rumors of an Equifax death, as Mark Twain might have noted, had been greatly exaggerated.
Data privacy perils come to the executive suite
Far more likely than a complete collapse of a company is the removal of the top executive – or team of executives – thought to be responsible for the data breach at a company. That was the case with the mass market retailer Target, which saw a spectacular data breach of nearly 110 million records in 2014. That ultimately led to the dismissal of the company’s CEO, Gregg Steinhafel. A similar fate awaited the head of Sony Pictures, Amy Pascal, who was shown the door after a massive data breach of the company by a hacker collective calling itself “Guardians of Peace” (thought to be linked to the North Korean regime).
As one popular saying goes, “There is no job security when your job is security.” In other words, if you are being paid a six-figure income and are appointed the Chief Security Officer (CSO) of a company, you can rest assured that your job will be on the line if there is a major data breach at your company.
Business failure as the result of cyber attacks
Large, established companies might not topple as the result of a data breach, but the results are much dicier with small- and mid-sized businesses, which simply lack the resources to remain a viable working entity after a massive data breach. Certainly, you can put Cambridge Analytica into this category of company.
According to the SEC, cyber attacks pose “an existential threat” for small- and medium-sized businesses. In an October 2015 public statement, SEC Commissioner Luis A. Aguilar pointed out the rising costs of cyber attacks for small- and medium-sized businesses, which now bear the major brunt of hacker phishing and spear-phishing attacks. Hackers view these smaller businesses – many of them only lightly defended against attack – as easy targets. Perhaps not surprisingly, the SEC pointed out that one-half of all small businesses have been the victim of a cyber attack. Of those businesses, nearly one-third now require at least 3 days to recover from such an attack.
The new data privacy landscape of the GDPR
The new wildcard in the data privacy world, of course, is the introduction of the European General Data Protection Regulation (GDPR) in May 2018. The regulation specifically holds open the door to significant financial penalties in the case of non-compliance. IBM and the Ponemon Institute have already suggested that the average cost of a data breach is $3.62 million. With additional costs added on from GDPR, it’s easy to see how that figure might balloon even higher still, to more than $4 million per data privacy breach. For some companies, such an extensive price to pay for a data breach might ultimately put them out of business.