Data Breach? Consumers Are Forgiving, According To Cybersecurity Survey; Most Satisfied With Company Response
In the digital age, a hacker getting a hold of our personal data is par for the course. A quarter of American adults' report they have been in the uncomfortable position of learning their information was involved in a data breach. It doesn’t seem to matter, though — only 11 percent of those people say they stopped doing business with the hacked company after their information was compromised, according to a new survey from the RAND Corporation.
The survey is one of the first to examine consumers’ experiences with data breaches and how it impacts their relationship with the company that lost their data. "While data breaches have become an alarmingly common part of American life, most people appear satisfied with companies’ responses to data breaches and few decide to take their business elsewhere," the study’s lead author Lillian Ablon, a cybersecurity and emerging technologies researcher at RAND, said in a press release. "It’s unclear whether this response will induce companies to improve their breach notification practices."
RAND, a nonprofit research organization, questioned a nationally representative sample of 2,038 adults in order to get a snapshot of the frequency of breach notifications, what kind of data was compromised, customers’ reactions to the security failure, and how the company reacted. Results showed that about 44 percent of respondents had not known they were hacked prior to being notified. Only around 10 percent said they noticed the breach by discovering the suspicious activity themselves. And 62 percent of consumers said they accepted offers of free credit monitoring after a breach, a surprising finding that counters claims that consumers are experiencing “breach fatigue” — a phenomenon where customers become desensitized to the loss of information and either ignore or discount important information contained in notices from companies, the study authors found.
Those who declined offers for credit monitoring cited the time and effort required to register for the service as their main reason for saying no, followed by concerns about the hacked company and whether the offer was a duplicate of services the consumer already had. Seventy-seven percent of those surveyed indicated that they were highly satisfied with the company’s post-breach response. Interestingly, however, ethnic minorities were less likely to be highly satisfied with the response, placing a higher dollar value on the inconvenience caused by the breach. Minorities were also more likely to stop doing business with the hacked company.
Ablon explained that the low proportion of consumers who punished a company for a data breach may highlight that it’s easy to shop at another retailer, but much more difficult to swap a health insurer, mortgage company, or employer.
The survey respondents made several recommendations to companies so they could better protect personal information, including taking better measures to ensure such a breach doesn’t happen in the future, offering free credit monitoring to endure lost data is not misused, and notifying consumers immediately. These steps were all valued more highly than financial compensation or an apology from the company.
Source: Ablon L, Heaton P, Lavery D, Romanosky S. Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information. Rand Corporation. 2016.