Daily Alert

12 December 2008

Data Breaches and Customer Loyalty

Below is a discussion concerning whether or not businesses or organizations suffer any consumer based ramifications from a data breach. Here is my two cents. As the Stillsecure blog alludes to, breaches need to be defined based upon what was lost. There is a huge difference between losing sales based information ie. credit card or debit card account information (further sub-divided by adding checking account routing and account numbers) and actual personal identifying information (PII). One way to think about the loyalty question is to frame it within an understanding of the consequences to the consumer. When credit card or debit card numbers are lost in a breach what typically happens? Either the consumer or pro-actively the credit card issuer will cancel the card and mail the consumer a new one. Big deal. This is a minor cost to the consumer and while it may be an inconvenience, it will hardly affect the behavior of too many consumers.

Let's face it. Financial data is free flowing and many hands touch it. A consumer should expect that his/her credit and debit information will be stolen a few times during their adult life. If the credit or debit information were actually used, that is a slightly greater inconvenience. The consumer calls the issuer, denies knowing about the transaction and in 95% of the cases the charge to the consumer is written off as fraud. This still doesn't affect the loyalty too much. Throw in some credit monitoring and most consumers have very little reason to be concerned.

Now, what if what was lost was PII or medical records or tax/employment earnings records? That is a totally different matter, one which generates anger and fear in the minds of customers and yes brings to question loyalty. Is there another vendor I could patronize instead of the one who didn't take proper pre-cautions to guard my information? I have a cartoon on my desk which reads "I didn't say it was your fault. I said I'm going to blame it on you". Whether or not the data management of the organization was well crafted or not, the impression is that 'you lost it, its your fault' despite what could have been the best efforts of the organization to protect their records. And if the breach results in identity theft victims, the affected company had better prepare itself to cover the expense of identity restoration. While it does indeed matter what the relationship between the consumer and organization was before the breach, chances are the affected consumer is still going to re-think his/her relationship with the company after becoming a victim of fraud which is tied back to the organization's breach.

But this is business. An organization which experiences a data breach of PII MUST REACT PROPERLY, QUICKLY AND EFFECTIVELY by notifying the affected consumers and offering them some sort of compensation. This action is only partly to reduce the liability which could result in class action suits, but also Attorney General investigations. Call me cynical, but reacting properly to the breach is more important for the customers that you do not as of yet have than for the customers that the business currently has. Re-building reputation is potentially far more expensive than the costs of a proper response to data breach.

Do data breaches really cost companies customers? - Still Secure After All These Years Blog

Adam Dodge writing on the Security Catalyst blog (another great SBN member site) writes about how data breaches have a substantial impact on companies losing customers. Adam points out that nothing will make a company take security more seriously than hits to the bottom line. Adam cites two recent studies to prove how data breaches make customers lose faith in the breached companies and how a substantial amount (30% or more) terminate their relationship.

I don't buy this for a second. In fact I think for many kinds of breaches, it doesn't effect bottom line or customer loyalty at all. DSW Shoes,TJX, Best Buy - none of these retailers had any lingering effect to the bottom line or their stock prices as a result of data breaches. Adam's evidence from two studies are both sponsored by companies that make their living in id management and identity protection. These are hardly neutral parties.

I can understand if the data breach was your banking institution, but when it comes to retail at least, I don't think people stop shopping there. That is not to say that they don't get upset and on a short term basis bitch and moan about it. But long term the next time DSW has shoes on sale or Best Buy is running a great deal on HD TV, consumers will be lining up to buy. Also the fact that stock prices are not effected is not lost on executive management of these companies.

The fact is until there are real hits to the bottom line from these high profile breaches, as a business plan it may be cheaper to absorb the cost of a breach than to try to lock it down and prevent them.

* The two studies Adam mentions are here:

Javelin Research

Ponemon Study

Stumble Upon Toolbar

No comments:

Sderot QassamCount - via Daled Amos

Nice Jerusalem Video from Yeshiva Beit Orot

The Path To The Final Solution

Who links to my website?