12 December 2008

Data Breaches and Customer Loyalty

Below is a discussion concerning whether or not businesses or organizations suffer any consumer based ramifications from a data breach. Here is my two cents. As the Stillsecure blog alludes to, breaches need to be defined based upon what was lost. There is a huge difference between losing sales based information ie. credit card or debit card account information (further sub-divided by adding checking account routing and account numbers) and actual personal identifying information (PII). One way to think about the loyalty question is to frame it within an understanding of the consequences to the consumer. When credit card or debit card numbers are lost in a breach what typically happens? Either the consumer or pro-actively the credit card issuer will cancel the card and mail the consumer a new one. Big deal. This is a minor cost to the consumer and while it may be an inconvenience, it will hardly affect the behavior of too many consumers.

Let's face it. Financial data is free flowing and many hands touch it. A consumer should expect that his/her credit and debit information will be stolen a few times during their adult life. If the credit or debit information were actually used, that is a slightly greater inconvenience. The consumer calls the issuer, denies knowing about the transaction and in 95% of the cases the charge to the consumer is written off as fraud. This still doesn't affect the loyalty too much. Throw in some credit monitoring and most consumers have very little reason to be concerned.

Now, what if what was lost was PII or medical records or tax/employment earnings records? That is a totally different matter, one which generates anger and fear in the minds of customers and yes brings to question loyalty. Is there another vendor I could patronize instead of the one who didn't take proper pre-cautions to guard my information? I have a cartoon on my desk which reads "I didn't say it was your fault. I said I'm going to blame it on you". Whether or not the data management of the organization was well crafted or not, the impression is that 'you lost it, its your fault' despite what could have been the best efforts of the organization to protect their records. And if the breach results in identity theft victims, the affected company had better prepare itself to cover the expense of identity restoration. While it does indeed matter what the relationship between the consumer and organization was before the breach, chances are the affected consumer is still going to re-think his/her relationship with the company after becoming a victim of fraud which is tied back to the organization's breach.

But this is business. An organization which experiences a data breach of PII MUST REACT PROPERLY, QUICKLY AND EFFECTIVELY by notifying the affected consumers and offering them some sort of compensation. This action is only partly to reduce the liability which could result in class action suits, but also Attorney General investigations. Call me cynical, but reacting properly to the breach is more important for the customers that you do not as of yet have than for the customers that the business currently has. Re-building reputation is potentially far more expensive than the costs of a proper response to data breach.

Do data breaches really cost companies customers? - Still Secure After All These Years Blog

Adam Dodge writing on the Security Catalyst blog (another great SBN member site) writes about how data breaches have a substantial impact on companies losing customers. Adam points out that nothing will make a company take security more seriously than hits to the bottom line. Adam cites two recent studies to prove how data breaches make customers lose faith in the breached companies and how a substantial amount (30% or more) terminate their relationship.

I don't buy this for a second. In fact I think for many kinds of breaches, it doesn't effect bottom line or customer loyalty at all. DSW Shoes,TJX, Best Buy - none of these retailers had any lingering effect to the bottom line or their stock prices as a result of data breaches. Adam's evidence from two studies are both sponsored by companies that make their living in id management and identity protection. These are hardly neutral parties.

I can understand if the data breach was your banking institution, but when it comes to retail at least, I don't think people stop shopping there. That is not to say that they don't get upset and on a short term basis bitch and moan about it. But long term the next time DSW has shoes on sale or Best Buy is running a great deal on HD TV, consumers will be lining up to buy. Also the fact that stock prices are not effected is not lost on executive management of these companies.

The fact is until there are real hits to the bottom line from these high profile breaches, as a business plan it may be cheaper to absorb the cost of a breach than to try to lock it down and prevent them.

* The two studies Adam mentions are here:

Javelin Research

Ponemon Study

Stumble Upon Toolbar


What Words Offend Arabs? The Truth.

Children's Poetry Booklet Recalled After Arabs Complain
(Israeli censorship kowtows to Arabs.
When Will We Tell The Truth Without Fear)

(IsraelNN.com 7 Sivan 5768/June 10, '08) Ynet's web site and Arab complaints against a ten-year-old boy's poem about terrorists has resulted in the recall of all of the Nes Ziona municipality's children's poetry booklets.

Ynet boasts that its coverage of the poem resulted in its being recalled.

The text of the poem (Ynet's translation):

Ahmed's bunker has surprises galore: Grenades, rifles are hung on the wall. Ahmed is planning another bombing!What a bunker Ahmed has, who causes daily harm.Ahmed knows how to make a bomb. Ahmed is Ahmed, that's who he is, so don't forget to be careful of him.We get blasted while they have a blast!Ahmed and his friends could be wealthy and sunny, if only they wouldn't buy rockets with all their money.

Poetry competition director Marika Berkowitz, who published the booklet, was surprised at the protests and told Ynet: "This is the boy's creation and this is what he wanted to express. Of course there should be a limit, but I think the there is no racism here. 'Ahmed' is a general term for the enemy. These are the murmurings of an innocent child."

The Education Ministry told Ynet: "The local authority that published the booklet should have guided the students in a more correct manner through the schools. The district will investigate the issue with the local authorities."
4Torah.com Search from Pre-Approved Torah sites only
Custom Search

Twitter Updates

    follow me on Twitter