September 27, 2005
Victims of personal data security breaches are showing their displeasure by terminating relationships with the companies that maintained their data, a survey finds.
The independent survey of nearly 10,000 adults, conducted by the Ponemon Institute, found that nearly 20 percent of respondents say they have terminated a relationship with a company after being notified of a security breach.
"Companies lose customers when a breach occurs. Of the people we surveyed who received notifications, 19 percent said that they have ended their relationship with the company after they learned that their personal information had been compromised due to security breach," said Larry Ponemon, founder and head of the Ponemon Institute.
"A whopping 40 percent say that they are thinking about terminating their relationship."
The survey also found that five percent of Americans have hired lawyers upon learning that their personal information may have been compromised.
"Five percent may not seem like much, until you realize that anywhere between 23 million and 50 million Americans have received notification of a data security breach. That means that over one million people out there are likely seeking legal counsel," said David Bender, co-head of the privacy practice at White & Case, the law firm that sponsored the study.
"This should be particularly troubling to companies, especially in light of several putative class-action lawsuits recently filed in California against companies that experienced security breaches," Bender said.
Bender added that while it's unclear just how any court might calculate damages for customers whose personal information has been breached, but have not suffered any clear harm, the fact that the plaintiff's bar is taking on such suits means they anticipate that courts may commiserate with customers' frustration over breaches.
One of the top frustrations that consumers experience is that the company hasn't clearly and effectively communicated just exactly what effect the security breach will have on their personal information.
"The survey reveals that companies need to be straightforward about what they know, as those companies who fail to communicate information in a clear, consistent and timely fashion are four times more likely to experience customer churn," said Ponemon.
"And those businesses that deploy canned emails or form letters to communicate a data breach to victims are more than three times as likely to lose customers than those that contact victims by telephone or personalized letters or a combination of both," he said.
Overall, 39 percent of respondents said that they felt the message conveyed by the organization about the data security breach was not honest and believable, and 52 percent said that the notice was difficult to understand.
Among the other top findings of the survey:
The organizations most likely to report a breach are banks (20%), credit card companies (18%), governmental organizations (including state universities) (13%), and health care providers (9%).
86% of security breaches involved the loss or theft of customer or consumer information. About 14% involved employee, student, medical and taxpayer data.
58% said the breach decreased their sense of trust and confidence in the organization reporting the incident. Only 8% of respondents did not blame the organization that reported the breach. Surprisingly, 12% said the incident enhanced their sense of confidence in the organization.
Over 82% believed that an organization should always report a breach, even if the lost or stolen data was encrypted or there was no criminal intent.
59% of respondents don't have confidence in US state or federal regulation to protect them from data security breaches.