Toward the end of July, 2019, Equifax attempted to make amends with US consumers by offering free credit monitoring or $125 to those affected by its 2017 data breach. Consumers were quick to choose the cash alternative, leading to an overwhelming number of claims that forced the firm to back down from its promise.
During the same week, tech-forward Capital One joined Equifax in the list of wide-ranging data security scandals. The bank disclosed that hacker Paige Thompson broke into its servers, exposing the personal information of almost 106 million card holders and potential applicants in the US and Canada.
Data Security as a Reputation Risk
This story may sound familiar because it is. Big names like Facebook, Marriott, and Under Armour have led to similar headlines involving their users’ personal information. While investment in data security continues to be on the rise and the number of individual data breaches has dropped, year over year, the magnitude of data points compromised each time is increasing. Like Capital One’s recent example, one hacking episode can risk millions of identities across multiple markets.
Data and cyber-attacks have secured their place among the key macro-trends impacting today’s reputation landscape, according to Ri’s 2019 Reputation Leaders study.
In the United States, a data security violation is the single-most reputationally detrimental scenario in the eyes of the informed general public, far more damaging than a CEO crisis, a product issue, or a massive staff turnover.
Figure 1: Reputation Impact of Data Security Issues Compared to Other Risk Scenarios
(Source: U.S. Continuous RepTrak January 2018-June 2019)
Banks and Telecom Face Greatest Reputation Risk
While data risks are by no means exclusive to the financial services, companies within that industry are especially vulnerable, according to Ri’s RepTrak analysis. Compared to other industries in the US, the predicted reputational decline attributed to banks only comes second to the telecommunications industry.
The prevalence and seeming inevitability of data security issues have not desensitized consumers. On the contrary, data from Ri’s 2019 US Bank study shows that the negative reputation impact of data breaches has increased in scale, year over year. Without a solid brand and a lean crisis plan, a data security issue can potentially destroy a bank’s reputation in the eyes of an increasingly skeptical audience.
A Matter of Governance
Figure 2: 2019 Reputation Drivers of the US Banking Industry
(Source: U.S. Banking RepTrak March-April 2019)
The weight of data security as a reputational risk among financial services is linked to the importance of corporate governance. Data is a valuable currency in today’s economy, and how a company protects it is tied to their core practices of transparency and ethical behavior. Governance has consistently emerged as a key driver of a bank’s corporate reputation, especially among consumers who do not currently do business with them.
Ri’s research has also demonstrated that when a data security issue hits a company, reputation and perceptions of corporate governance suffer the largest consequences.
What happened to Equifax?
Figure 3: Equifax Pre and Post Data Crisis
(Source: U.S. RepTrak 2017-2018)
We have discussed the lessons learned from the Equifax scandal and the decline in reputation the data breach has created. (Read our recent blog post: The Equifax Breach is a Reputational Crisis that Will Linger). Equifax was already challenged pre-crisis, and it did not have much of an emotional buffer or reputational equity to trade-off
The company first learned about their data breach on July 29, 2017, but it didn’t inform the general public until September 7, 2017. It took over a month for Equifax to disclose the data breach, and in handling the matter, it was not fully transparent in divulging the exact details of what happened.
Their disclosure process also highlighted glitches in their Twitter account safety and the general dismissiveness around their global security practices.
As seen in Figure 3, Equifax was hit across the board, especially in its emotional appeal (reputation) and how people view its corporate governance.
What May Happen to Capital One?
Capital One is number 10 on the list of largest banks in the United States and the fifth-largest credit card issuer.
While other financial companies also use social media influencers to sell their products, Capital One stands out for having an advertising platform consistently built on celebrity endorsement. Starting with Samuel L. Jackson more than five years ago, its commercials have featured known faces like Jennifer Garner and, more recently, Taylor Swift.
This branding approach has helped them secure a middle-of-the-pack reputation and emotional buffer among the US public. According to Ri’s 2019 US Bank RepTrak, Capital One ranks #16 among customers and #34 among non-customers, within a total of 40 rated banks. Before the data breach scandal, Capital One was on par with the industry average among customers, but falling behind in the eyes of non-customers.
Like the industry as a whole, its year-over-year reputation has been on a downward trend, making it susceptible to the general skepticism that has affected the financial services industry.
Figure 4: Capital One's Reputation Over Time
(Source: U.S. Banking RepTrak 2017-2019)
However, while Capital One will probably struggle to attract new market share after its recent bad press, Ri’s analysis suggests that it will most likely bounce back from the data breach crisis. The reasons for that list as follows:
During the months prior to the data breach crisis, Capital One was nearly scandal-free, except for the bank’s request for a subpoena to comply with the House Democrat’s request to access President Trump’s financial documents.
Capital One has been quick to act after the data hack, publishing information on the punishment of the perpetrator and publicly apologizing through its CEO Richard Fairbank.
In their communications immediately after the incident, they have been transparent about the exact impact of the crisis on consumers, using their website to informing the public that “no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual”
Prior to this event, perceptions of its corporate governance among customers was strong and above the financial industry average.
Capital One also benefits from an elevated brand strength among its customers. Perceptions of the bank as genuine are strong and above industry average. This could be tied to its ongoing celebrity endorsement strategy.
As illustrated in Figure 3, the data hack generated around one week of high coverage for Capital One, but impressions dropped off quickly after August 1, 2019. There are signs that Capital One's media coverage is returning to the upper end of the range that was observed on a day-to-day basis before the hack.
Figure 5: Capital One Media Impressions
(Source: Media RepTrak August 2018-August 2019)
Favorable Reputation Outlook for Capital One
Compared to Equifax’s post-crisis reaction, Capital One has operated with transparency and addressed the impact of the risk on consumers, fostering a quick decline in buzz around the hack. While eight days after the crisis Capital One’s media coverage is back to normal, Equifax media impressions where still on the rise during this same stage of its own 2017 scandal (See Figure 6).
While the general public might get over Capital One’s data breach in the next 12 months, the handling and mishandling of Equifax’s crisis continues to be newsworthy today.
Figure 6: Evolution of Media Impressions After Data Breach Crisis
(Source: Media RepTrak)
Learn more about our 2019 Bank RepTrak study below.
Senior Research Manager