Victims of personal data security breaches are showing their displeasure by terminating relationships with the companies that maintained their data, according to a new national survey sponsored by global law firm White & Case.
The independent survey of nearly 10,000 adults, conducted by the respected privacy research organization Ponemon Institute, reveals that nearly 20 percent of respondents say they have terminated a relationship with a company after being notified of a security breach.
Of the people we surveyed who received notifications, 19 percent said that they have ended their relationship with the company after they learned that their personal information had been compromised due to security breach.
“Five percent may not seem like much, until you realize that anywhere between 23 million and 50 million Americans have received notification of a data security breach. That means that over one million people out there are likely seeking legal counsel. This should be particularly troubling to companies, especially in light of several putative class-action lawsuits recently filed in California against companies that experienced security breaches,” said David Bender, co-head of White & Case’s privacy practice.
Bender added that while it’s unclear just how any court might calculate damages for customers whose personal information has been breached, but have not suffered any clear harm, the fact that the plaintiff’s bar is taking on such suits means they anticipate that courts may commiserate with customers’ frustration over breaches.
One of the top frustrations that consumers experience is that the company hasn’t clearly and effectively communicated just exactly what effect the security breach will have on their personal information.
“Does a breach mean that an unauthorized person is using a consumer’s credit card to rack up purchases, or is assuming that consumer’s identity? Or simply that hackers broke into a company’s security system just for kicks and nothing untoward has happened? Either way, the survey reveals that companies need to be straightforward about what they know, as those companies who fail to communicate information in a clear, consistent and timely fashion are four times more likely to experience customer churn and those businesses that deploy canned emails or form letters to communicate a data breach to victims are more than three times as likely to lose customers than those that contact victims by telephone or personalized letters or a combination of both.” said Ponemon.
Overall, 39 percent of respondents said that they felt the message conveyed by the organization about the data security breach was not honest and believable, and 52 percent said that the notice was difficult to understand.
Bender said that a company should engaged in prophylactic tactics both before, and after, a breach. In the event a breach occurs, the survey suggests that the company should send each victim a notification that is timely, is written in clear language free of technical or legal jargon, is detailed enough to describe what has happened, and that offers a victim assistance hotline.
Bender added that the smart companies will also handle the notification in the form of a personalized letter followed up with a phone call-both designed so as to distinguish them from direct marketing pieces.
Among the other top findings of the survey:
-The organizations most likely to report a breach are banks (20%), credit card companies (18%), governmental organizations (including state universities) (13%), and health care providers (9%).
-86% of security breaches involved the loss or theft of customer or consumer information. About 14% involved employee, student, medical and taxpayer data.
-58% said the breach decreased their sense of trust and confidence in the organization reporting the incident. Only 8% of respondents did not blame the organization that reported the breach. Surprisingly, 12% said the incident enhanced their sense of confidence in the organization.
-Over 82% believed that an organization should always report a breach, even if the lost or stolen data was encrypted or there was no criminal intent.
-59% of respondents don’t have confidence in US state or federal regulation to protect them from data security breaches.