Security breaches that compromise confidential customer data could prove far costlier for the companies involved than generally thought.
In a national survey of more than 1,000 victims of personal data security breaches, nearly 20 percent said they had already terminated their relationships with companies that maintained their data, while another 40 percent said they might do so. And nearly 5 percent of those surveyed said they had hired lawyers to seek legal recourse after their data was put at risk.
The numbers highlight growing consumer angst over personal data compromises, said David Bender co-chair of the privacy practice at White & Case LLC, a New York-based law firm that sponsored the survey. The survey was independently conducted by the Ponemon Institute LLC, a privacy think tank in Tucson, Ariz.
Ponemon"s National Survey on Data Security Breach Notifications was completed in August and the results were released on Monday. The survey was conducted to find out how individuals reacted to data security breach notifications. More than 51,000 people were invited to participate in the survey via e-mail, and the results are based on the responses of 1,109 people who said they had been informed of breaches involving a compromise of their personal information.
"It was not surprising that consumers had already terminated or would want to terminate their relationships" after a data breach, Bender said. "What was surprising was the actual percentages. No one expects the consequences will be good (after a data compromise), but few realized just how serious the ramifications can be."
The timeliness, manner and effectiveness with which companies communicate the details of a security breach have a direct impact on the fallout, said Larry Ponemon, founder of the Ponemon Institute.
Companies that are straightforward in communicating what they know about a breach, as soon as they have the relevant details, are likely to see far less "consumer churn" than companies that are evasive, he said. How customers are notified of breaches also appears to be crucial, he said. Standard form letters and e-mails, for instance, are viewed far more skeptically than personalized letters and phone calls, he said.
In many cases, data breach notifications that are sent are simply overlooked or discarded as junk mail or spam.
"If a company has a breach and it wants to mitigate the potential costs and loss of customer trust they should start considering it as an important communication opportunity to prove to the customer that it cares about them," Ponemon said.
The fact that nearly 12 percent of survey respondents said their confidence in a company had actually increased after they were notified of a security breach points to the value of effective communication, he said.
Often the damage from data security breaches goes beyond just scaring customers away. Nearly 58 percent of respondents to the survey said a breach had decreased their sense of trust and confidence in the organization reporting the incident.
Even though consumers may not always immediately end their relationship with a company, a breach can "lessen the relationship" between the two, Ponemon said. Affected consumers for instance, are likely to be less receptive to new offers and services and are more likely to switch companies when they can. The ability to attract new customers can also be seriously hurt by a data security breach, he said.
As a result, Ponemon said, it is better to incur "large upfront costs" if necessary to properly communicate the scope of a breach.