Data breach incidents having increasing commercial impact, says expert

Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that senior business executives are taking IT security issues more seriously because of the commercial impact data breaches can have, and because breaches can trigger senior resignations.

Dautlich was commenting after online auction website eBay revised down its forecast of the revenues it expects to generate during 2014 in a recent financial statement following a data breach incident it notified users about earlier this year.

In reporting its financial results for the second quarter of this year, eBay forecast generating revenues of between $18 billion and $18.3bn for the entire calendar year for 2014. In its previous first quarter financial results statement issued in April, eBay forecast generating revenues of up to $18.5bn for 2014.

Since its first quarter report, however, the company reported that it had been the victim of a cyber attack which resulted in a database of user information, including names, encrypted passwords, email addresses and phone numbers being compromised. Chief financial officer for eBay, Bob Swan, said that the data breach had an "immediate and dramatic" effect on the company's sales, according to a report by the Financial Times.

"2014 has been the year where we have seen a growing number of examples in the public domain of an explicit link between information security threats and a loss of shareholder value, and the departure of very senior officers of companies as a result of hacks," Dautlich said.

"This is moving the needle in terms of what boards of companies actually seem to be doing about improving information security in their organisations. The focus is also thankfully shifting away from treating this as some form of obscure 'IT' problem, and addressing much wider behavioural or cultural matters, such as vulnerabilities inherent in poor practice with passwords, policies regarding BYOD and so on. In narrow legal terms, the underlying issue here is really all about negligence: are companies meeting the required standard for defending themselves against security threats?" he said.

A number of major organisations have reported data breaches in recent months. The most publicised case was that involving US retailer Target. A hacking attack last year exposed tens of millions of Target customers' personal data, including credit and debit card information, to fraudsters. In May this year Target chief executive Gregg Steinhafel resigned from his position on the board of the company following pressure on the business in the aftermath of the data breach incident.