[ISN] Survey: Security breaches could prove costly to data companies

InfoSec News isn at c4i.org
Thu Sep 29 00:28:07 EDT 2005


By Jaikumar Vijayan 
SEPTEMBER 28, 2005

Security breaches that compromise confidential customer data could
prove far costlier for the companies involved than generally thought.

In a national survey of more than 1,000 victims of personal data
security breaches, nearly 20% said they had already terminated their
relationships with companies that maintained their data, while another
40% said they might do so. And nearly 5% of those surveyed said they
had hired lawyers to seek legal recourse after their data was put at

The numbers highlight growing consumer angst over personal data
compromises, said David Bender co-chair of the privacy practice at
White & Case LLC, a New York-based law firm that sponsored the survey.  
The survey was independently conducted by the Ponemon Institute LLC, a
privacy think tank in Tucson, Ariz.

Ponemon's National Survey on Data Security Breach Notifications was
completed in August and the results were released on Monday. The
survey was conducted to find out how individuals reacted to data
security breach notifications. More than 51,000 people were invited to
participate in the survey via e-mail, and the results are based on the
responses of 1,109 people who said they had been informed of breaches
involving a compromise of their personal information.

"It was not surprising that consumers had already terminated or would
want to terminate their relationships" after a data breach, Bender
said. "What was surprising was the actual percentages. No one expects
the consequences will be good [after a data compromise], but few
realized just how serious the ramifications can be."

The timeliness, manner and effectiveness with which companies
communicate the details of a security breach have a direct impact on
the fallout, said Larry Ponemon, founder of the Ponemon Institute.

Companies that are straightforward in communicating what they know
about a breach, as soon as they have the relevant details, are likely
to see far less "consumer churn" than companies that are evasive, he
said. How customers are notified of breaches also appears to be
crucial, he said. Standard form letters and e-mails, for instance, are
viewed far more skeptically than personalized letters and phone calls,
he said.

In many cases, data breach notifications that are sent are simply
overlooked or discarded as junk mail or spam.

"If a company has a breach and it wants to mitigate the potential
costs and loss of customer trust they should start considering it as
an important communication opportunity to prove to the customer that
it cares about them," Ponemon said.

The fact that nearly 12% of survey respondents said their confidence
in a company had actually increased after they were notified of a
security breach points to the value of effective communication, he

Often the damage from data security breaches goes beyond just scaring
customers away. Nearly 58% of respondents to the survey said a breach
had decreased their sense of trust and confidence in the organization
reporting the incident.

Even though consumers may not always immediately end their
relationship with a company, a breach can "lessen the relationship"  
between the two, Ponemon said. Affected consumers for instance, are
likely to be less receptive to new offers and services and are more
likely to switch companies when they can. The ability to attract new
customers can also be seriously hurt by a data security breach, he

As a result, Ponemon said, it is better to incur "large upfront costs"  
if necessary to properly communicate the scope of a breach.

More information about the ISN mailing list