Think shoppers forget retail data breaches? Nope

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cnbc.com/id/102767701

The recent data breach involving four million government workers is an
unpleasant reminder of how vulnerable our digital information has become.
On the consumer side, high-profile breaches at Target and Home Depot are
just two examples of dozens of similar cases. Surprisingly, many retail and
financial-services executives think that data breaches have become so
common that consumers will quickly forget.

That's anything but true. A survey of 1,060 U.S. consumers we conducted
late last year busts five commonly held myths about data breaches –
including the misconception that consumers are numb to them. Executives and
investors may be quick to forget, but shoppers are not, and that could
impact retailers' profit and share price.

Myth 1: Most consumers don’t know or care about data breaches.

Retailers may be shocked to learn that nearly 70 percent of the consumers
we surveyed could correctly identify companies that had been breached. And
they care. When asked how reports of data breaches have impacted their
shopping habits, 15 percent of respondents said they generally stopped
shopping at breached retailers and 23 percent generally stopped using
breached payment methods. Furthermore, our survey found that when a
consumer has been a victim of a breach, his or her reactions are even more
pronounced.

Myth 2: Data breaches don’t affect consumer spending.

With 15 percent of consumers planning to stop shopping at affected
retailers, revenue will take a hit. Even more dramatic, among those whose
personal data was breached, more than a quarter say they would stop
shopping at that retailer, and nearly a third would close their account.

And it gets worse. Among consumers who would continue shopping there,
almost 50 percent say they would change how they pay, with 60 percent of
them planning to use more cash (in place of credit and debit). Increased
use of cash matters because market data shows that those who pay with cash
have average ticket sizes that can be 10 to 20 percent lower.

Myth 3: If a retailer experiences a breach, only the retailer is impacted.

The impact of a data breach stretches into the payments space. Nearly half
of the consumers surveyed strongly believe that a breach is the bank's
fault as well a retailer's. Furthermore, 43 percent say they have closed,
frozen or stopped using a particular payment account after hearing about a
data breach. These responses indicate that a data breach impacts the
revenues, profits and reputation of the entire transaction-processing
system.

Myth 4: If there is any consumer reaction to a data breach, it is short
lived.

The prevailing view is that once the storm passes, business will quickly
return to normal. Indeed, stocks often take a short-term hit upon the news,
but eventually rebound to pre-breach levels. However, our survey results
suggest that consumers have longer memories than investors.

Although Target was breached in late 2013, this breach is still in the
minds of many Target customers who indicated to us in late 2014 that it
would affect their spending plans during the holiday season—nearly a full
year after the breach was reported.

Myth 5: Little needs to be done to bring customers back after a data breach.

Many affected retail companies and financial institutions have made little
effort to win back business. They seem to believe that consumer behavior
will not change. However, these executives may not truly understand what
portion of their customer base they have alienated.

We believe an effective response involves working to develop a deeper
understanding of customer reaction to the breach, along with a strategy to
win back at-risk customers. Knowing that there are specific groups of
customers who are likely to defect or pay with cash and decrease their
ticket size, breached companies must identify specific segments of at-risk
customers and develop highly targeted win-back strategies including special
offers and communications.

In fact, knowing that a data breach is almost inevitable – it is more a
question of "when" than "if" – retailers should have a recovery strategy
ready. Companies of all sizes need to prepare for such an event and should
not assume that customers will forgive or forget.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!