The Deal-Breaker: Impacts of Poor Data Security on Customer Retention

As massive data breaches become a regular occurrence, people are paying attention in a number of different ways. One example is the rash of new data protection regulations designed to ensure that organizations collecting, processing, and storing customers’ sensitive data are taking appropriate precautions to protect it against attack.

However, the new focus on data security is not limited to governments. Consumers have become increasingly aware of how a company’s poor cybersecurity practices can personally impact them.

As data breaches become commonplace, the ability to properly secure a customer’s personal data has become a valuable tool for marketing, and many customers state that they now make purchasing decisions based upon a company’s cybersecurity. Failure to properly secure customer data can have much greater costs than the fines levied by regulators after a data breach.

Customers are Fed Up with Breaches

Breaches have become a daily occurrence as cybercriminals take advantage of organizations failing to properly secure their customers’ data. Many of these data breaches expose extremely sensitive information, including payment card data, personally identifiable information (PII), and account credentials. The effort required by a consumer to deal with the aftereffects of a data breach can be significant, including changing account passwords, freezing credit, and other steps to protect against impersonation and identity theft.

The number of recent data breaches has prompted the passage of several new data protection regulations. Many of these regulations include stiff penalties for organizations that failed to implement proper security controls to protect the sensitive data entrusted to them. However, one factor of the breach that is not widely legislated is the compensation that companies owe a consumer after breaching their personal data. The exact “value” of breached data has not been established, and many organizations are given a great deal of leeway in deciding what constitutes appropriate compensation.

Unsurprisingly, many organizations don’t offer much to impacted customers after a breach. A common offer is free credit monitoring, but the sheer number of recent data breaches means that most consumers already have monitoring in place as a result of past breaches. As a result, many organizations are not required to provide much or any real compensation to their customers.

Absurd compensation packages have a significant impact on an organization’s brand reputation. A classic example of this is the Equifax breach, where the company negotiated with the Federal Trade Commission to offer affected parties either free credit monitoring or $125 as a settlement. However, both organizations assumed that most people would take the “more valuable” credit monitoring option, and the settlement fund for claims was capped at $31 million.

With 148 million impacted consumers, only 17% of victims could make the claim and receive the promised amount, and the fact that many already had monitoring in place as mentioned before, meant that the number was far higher. As a result, the settlement was essentially worthless to consumers, and the FTC’s attempts to convince customers that the monitoring was the more valuable option resulted in a greater loss of reputation for the FTC and Equifax.

Most Consumers Will Leave After a Breach

The handling of the Equifax settlement is only one of several cases where brand reputation is hurt after a breach. Relative to other companies, Equifax is getting off easy since customers have no choice about using their services. As a credit monitoring agency, Equifax receives customer data from directly financial organizations, not customers.

However, in industries where customers actually have a choice about who gets access to their data, organizations may have a problem retaining customers if they can’t properly protect those customers’ personal data. 53% of customers say that the failure to have a strong data protection policy in place can be a deal breaker, and 64% have gone to a competitor based upon an organization’s poor cybersecurity.

As data breaches become more common and visible, the ability to properly protect sensitive data is increasingly a selling point for organizations. Beyond the potential regulatory impacts of having inadequate data security controls in place, an organization may suffer longer-term damage due to loss of customer trust and brand location if they fail to protect customer data.

Implementing Strong Data Protection

When it comes to customer awareness, there is a big difference between a cybersecurity incident and a data breach. If an organization has an intruder gain access to their network but the attacker doesn’t manage to steal any sensitive data, the incident will probably not make it to the press. However, if that same intrusion results in customer data being exposed by the hacker, it often suddenly becomes headline news.

Protecting the network against intrusions is important, but the sheer number of potential attack vectors means that it may be infeasible to detect and block every possible intrusion. However, an organization has a much better chance of successfully mitigating the impact of an incident by preventing the attacker from gaining access to valuable and sensitive data once they are inside.

Deploying a good data protection solution can help protect an organization’s network and brand reputation by decreasing the probability of a data breach. By monitoring access patterns and account behaviors, a data security system can detect and alert on anomalies that could indicate an attack in progress. The modern customer cares about their data privacy and security, making strong data security a necessary component of any organization’s cybersecurity strategy.