Evaluating consumer sentiment and business response to data breaches

June 4, 2014
Study finds reputational risks from data breaches ranked alongside poor customer service, environmental incidents

In the wake of what can only be described as mega breaches at major companies over the past year, it should come as no surprise that data security is top of mind for policymakers, consumers and businesses. As security executives are aware, not a week or two goes by without hearing of another major data breach incident causing reputational damage and business disruption for the affected organizations.

However, what is less known is how consumers feel about data breaches and if heightened awareness has led to changes in their brand engagement or actions. Consumers should always be the North Star for companies responding to a data breach, and by better understanding their actions, feelings and behaviors, security professionals will have critical information and insights that can help their organizations better manage the data breach response process.

To better understand consumer sentiment, Experian Data Breach Resolution commissioned a report, “Aftermath of a Mega Data Breach: Consumer Sentiment,” with the Ponemon Institute, which studies cybersecurity and data protection. The survey revealed data breaches as one of the top three incidents that can affect a business’ reputation, ranked alongside poor customer service and environmental incidents. The reputational risk of a data breach was also listed ahead of publicized lawsuits, government fines and labor or union disputes in terms of impact on an organization, according to the study. Using these report findings, companies - and the security professionals assigned to protect customer data - can learn valuable lessons for how they should approach their response to a data breach incident and help maintain consumer trust.

Amidst Breaches, Consumers Send Mixed Signals

Overall, the Ponemon research found the increase in data breach notifications and related media coverage has caused consumers to become more apathetic. The increase in consumer notification was profound when compared to the results of another study (“Consumer Study on Data Breach Notification”) published just two years ago. The number of consumers who reportedly received a data breach notification doubled in 2013, and of that group, 62 percent said they received multiple data breach notifications involving separate incidents. But, rather than taking action to protect themselves after a data breach, consumers are giving less attention to the severity of being affected and the importance of following recommended remediation directions. This phenomenon, which has been coined “data breach fatigue,” leads some consumers to not reset passwords or accounts that may have been compromised, failing to be extra vigilant in watching for targeted phishing attacks or not taking advantage of credit monitoring products provided by the affected company.

As consumers continue to be inundated with information about data breaches, it will be important for security professionals to work with their organizations to break through the notification clutter with relevant background which provides concise direction and guidance for customers to remedy and protect personal information. Without driving data breach awareness and resulting actions to protect data, if affected customers do end up experiencing fraudulent activity, the experience has proven time and again to negatively impact a consumer’s relationship with the breached company.

Heightened Consumer Concern

Despite data breach fatigue and more frequent inaction, a majority of consumers in the Ponemon research did indicate significant concerns over data breaches and identity theft – even if they have yet to be affected by such an incident. These near- and long-term perceptions and concerns can and will result in a loss of consumer confidence in the organization, harming brand reputation and ultimately affecting the bottom line. The top consumer concerns for data breaches and identity theft, as highlighted by the research, include:

  • 78 percent worry most about having their Social Security number stolen, followed by passwords and PIN number (71 percent) and credit card or bank payment information (65 percent); 
  • 24 percent say they were extremely or very concerned about becoming a victim of identity theft before having their personal information lost or stolen. Following a data breach, those concerns doubled;
  • The aftermath of a data breach can be long lasting - 48 percent of respondents noted they believe their identity is at risk for years or forever; 
  • And, worse yet, 57 percent of respondents reported they were less likely to have a relationship with a company following a breach.

For security professionals, it is clear combating consumers’ heightened concern following a breach requires an integrated, thoughtful response and actions. For many consumers surveyed, companies which offer free identity theft protection (63 percent), deliver clear communications (67 percent) that don’t “sugar coat” information and discloses all of the facts (56 percent) were top priorities for data breach resolution. Interestingly, respondents also indicated it was important for the media to report timely details about data breaches to help influence a corporate response (67 percent), generate broad awareness for potentially affected individuals (54 percent) while alerting victims to take action to protect their personal information (53 percent).

With these perspectives in mind, organizations and security professionals should be prepared to provide consumers affected by a data breach credit monitoring services while focusing on the communications that drive awareness and action for near- and long-term remediation and protection. For data breach notification letters, companies should provide a clear overview of the latest information and necessary facts available on the incident along with guidance for how consumers can protect themselves. However, with consumer interest in media’s role highlighting data breaches, companies should also evaluate which communication mediums will effectively reach their stakeholders, along with the appropriate timing, including public statements, website updates and direct emails. Using these communication channels, delivered at the right time, can provide effective ways for security professionals to reach consumers to help manage, protect and resolve a data breach incident.

Getting the response right in the heat of a data breach is easier said than done. The mega breaches that have played out publically in recent months, along with the consumer sentiment insights from this Ponemon research, show companies must ensure they react and respond to an incident by planning ahead and having a response plan in place with security and communication professionals working closely together. Data breaches will continue to be a threat for security professionals to address, but surviving the aftermath of an incident can ensure companies maintain their credibility and reduce the impact of a major incident on the bottom line.

About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president of the Experian Data Breach Resolution group. A veteran with more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the on the Medical Identity Fraud Alliance (MIFA) Steering Committee, Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.