Few Consumers Stop Doing Business With Hacked Companies

A new Rand Corp. study found that only 11% of consumers who have ever been notified of a data breach said they stopped doing business with the hacked company after the event occurred.

SANTA MONICA, Calif. – About a quarter of American adults reported that they were notified about their personal information being part of a data breach in the previous year, but only 11% of those who have ever been notified say they stopped doing business with the hacked company after the event occurred, according to a new Rand Corp. study.

The findings are from one of the first examinations of consumers’ experiences with data breaches and the impact it has on their relationships with the companies that lose their personal information.

READ NEXT: How to Protect Wireless Intrusion Systems From Cyber Threats

“While data breaches have become an alarmingly common part of American life, most people appear satisfied with companies’ responses to data breaches and few decide to take their business elsewhere,” said lead author Lillian Ablon, a cybersecurity and emerging technologies researcher at Rand, a nonprofit research organization, based here. “It’s unclear whether this response will induce companies to improve their breach notification practices.”

The Rand survey found that among those who remembered receiving a data breach notification at any time over their lifetime, about 44% said they were aware of the hack even before they received notification. About 10% discovered the breach by identifying suspicious activity themselves.

The survey found that 62% of consumers accepted offers of free credit monitoring. This counters claims made by others that consumers are experiencing “breach fatigue” – where consumers become desensitized to the notices and either discount them or ignore important information contained in the notices.

The three main reasons for declining such offers were the time and effort required to register for the service, concerns about the hacked company or the breach notification service, and whether the offer duplicated services the victim already had.

More than three-quarters of those surveyed (77%) said they were highly satisfied with the company’s post-breach response. However, ethnic minorities were less likely to report being satisfied with the company’s breach response, placed a higher dollar value on the inconvenience caused by the breach and were more likely to cease doing business with the related company.

“Our research shows the importance of legislation that requires companies to notify individuals when a breach occurs,” Ablon said. “Data breach notification laws empower consumers to take quick action to reduce risk and create incentives for companies to improve data security. Unfortunately, data breach laws are not uniform or even present for every state.”

While most states have laws requiring that consumers be notified of data breaches, three states – Alabama, New Mexico and South Dakota – have no such legislation. Survey participants in those three states reported lower rates of having ever received a data breach notice as compared to people from states with notification laws, although the difference was not statistically significant.

The survey questioned a nationally representative sample of 2,038 adults who participate in the Rand American Life Panel, an Internet-based survey panel.

The survey was fielded between May 15 and June 1, 2015, and designed to provide a snapshot of the frequency of breach notifications and the types of data compromised, as well as consumer reactions to the breach, the notification process and the affected company. The survey also examined estimates regarding the perceived personal cost of the breach, as well as suggestions regarding future notifications and data protection measures.

Among those experiencing a data breach during their lifetime, people with higher income and those with more education were more likely to recall being notified of a breach, as compared to younger adults (ages 18-34) and senior citizens (ages 65 and older). More than 12% of those surveyed received two or more notifications in the year preceding the survey.

Ablon said the low proportion of consumers who penalized a company for a data breach may highlight that while a consumer always can to choose to shop at another retailer, it is more difficult to make a switch when a data breach hits a person’s health insurer, mortgage company or employer.

Among survey participants who estimated a dollar-equivalent cost for the inconvenience caused by a data breach, the median amount was $500. Thirty-two percent felt the breach imposed no dollar loss to them. Median dollar values were higher if health information ($1,000), social security numbers ($1,000) or other financial information ($864) was compromised. Just under 6% of those who had ever received a data breach notification (or an estimated 6 million U.S. adults) felt that the inconvenience cost them $10,000 or more. Of those who experienced an extreme inconvenience, the breach typically involved credit card or health information.

Respondents recommended several steps companies could take to better protect personal information. The steps that would highly satisfy most respondents included taking measures to ensure a similar breach cannot occur in the future, offering free credit monitoring to make sure lost data is not misused and notifying consumers immediately. All three were valued more highly than receiving compensation for financial loss or an apology from the company.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.

A FREE subscription to the top resource for security and integration industry will prove to be invaluable.

Subscribe Today!

Get Our Newsletters