Can consumers forgive a security breach?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.utsandiego.com/news/2014/aug/05/consumers-after-security-breach-pf-changs-target/

Data breaches have pommeled several major retailers over the last year,
with P.F. Chang's China Bistro and customers at 33 of its restaurants in 16
states the latest victims.

The restaurant chain announced Monday that for eight months between Oct.
19, 2013 and June 11 this year, hackers were using a breach in the
company's credit card processing system to steal credit and debit card
information, including expiration dates and in some cases cardholders'
names.

It's no wonder then that 45 percent of customers don't trust retailers with
their information, according to a study published in June by Interactions,
a firm specializing in marketing to consumers through on-site experiences.

And of those shoppers surveyed who have had their information stolen
through a security breach:

- 85 percent tell others about their experience,
- 33.5 percent use social media to complain about their experience

But while breaches can mean immediate declines in traffic and sales for
companies, the same study shows that consumers are more willing to forgive
a security infringement than it might seem. That's true especially if they
feel like the retailer is communicating early and often with them about
what happened and what steps it is taking to minimize risk in the future.

Consumers surveyed said that if a retailer experienced a security breach,
42 percent of them would return to that retailer within a month and 19
percent would come back within six months. An additional 22 percent said
they would return as soon as the breach were corrected. Nineteen percent
would continue doing business with the retailer, unfazed. Only 13 percent
said they would be uncomfortable shopping there ever again.

Still, 79 percent are more likely to use cash instead of credit cards, the
study shows, and 26 percent will intentionally spend less than before.

"Retailers know that if you have to shop with cash, you spend less money,"
explained Giovanni DeMeo, Vice President of Global Marketing and Analytics
at Interactions. "A large number of shoppers said that after a breach, 'I’m
going in with cash,' and theoretically that’s going to have a huge impact
on these retailers."

If Target is a test case of the fallout from such incidents, the effects —
while lasting — don't have to spell doom for the retailer.

Eight months after the payment information for more 40 million cardholders
was hacked during the busiest shopping season of the year,
Minneapolis-based Target is still controlling the damage but estimates the
breach has cost less than 1 percent of sales.

The company said Tuesday that its second-quarter expenses for the breach
reached $148 million, or 0.2 percent of its $72.596 billion in annual
revenue — "the financial equivalent of a parking ticket," wrote Forbes
contributor Paula Rosenblum.

"Human nature is that we have a tendency to soften things as we remember
them," DeMeo said of why shoppers will return to a retailer after their
information has been compromised. "People tend to forgive."

Most people are also aware that doing business in an electronic world is
inherently risky, he added.

Some, like Urban Outfitters' information security chief, think disclosing a
data breach is overrated and could expose vulnerabilities. But 47 states
require it.

What retailers can take away from the report, DeMeo said, is that
transparency and taking action to minimize the risk of future breaches are
the keys to winning back consumers.

That means going directly to customers, explaining what happened and what
you plan to do to mediate the damage and reminding them that you value
their privacy as much as they do, DeMeo said.

"If you do that, shoppers are much more forgiving than if they're finding
out after the fact or getting bits and pieces from mainstream media," he
said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!