Duty to Notify
Data breach notification laws define the requirements of an entity that has been subject to a data breach with respect to their obligations to notify their customers and other parties about the breach. All but two states (Alabama and South Dakota) have some kind of data breach notification law. In addition, there are numerous federal laws protecting specific types of data as well.
For companies doing business in multiple States, notification obligations can be very confusing as state laws differ in definition, notification timing, and what constitutes compliance. Nevertheless, a company that has experienced a data breach must quickly determine their notification requirements.
Cost of a Data Breach
The average cost of a data breach In the U.S. is $7.35 million, or $225 per record lost or stolen. That’s more than $2 million higher than any other country, (Cost of Data Breach Study, Ponemon Institute, 2017).
There are two kinds of costs to an organization: direct and indirect.
Direct costs include cyber security and forensic expertise, lawyers, PR, hotline calls center support, free credit monitoring, and IT replacement of damaged equipment.
Indirect costs are more difficult to quantify. However, it can be argued that these costs can have a more dramatic and long-term negative consequence. Indirect costs include stock price reduction, loss of customers after a breach (“customer attrition”) and the harm to reputation and goodwill.
What We Know About Customer Loss
Studies have clearly shown that the relationship between the customer and the organization is negatively impacted after the company has experienced a data breach. This impact can range from loss of trust to customers no longer willing to do business with the affected company. Regardless of whether the customer stays, the data is clear that customers will have a very high negative perception of the breach immediately after a data incident.
How the company responds will directly and dramatically determine the level of customer abandonment.
Even a slight rise in customer attrition can translate into significant losses. Ponemon estimates organizations with less than 1% abnormal customer attrition lost an average total of $2.6 million after a breach. Organizations with more than 4% abnormal customer attrition lost an average of $5.1 million.
A Gemalto study highlighted the negative impact to a brand by surveying over 10,000 people worldwide. This study found that 70% of consumers would stop doing business with a company that suffered a data breach.
Interestingly, industries most affected by customer attrition due to a data breach were found in financial, healthcare, and service verticals. U.S. based companies’ experience the highest costs associated with lost business.
Mitigating Customer Attrition – Best Practices
Set the standard. How a company handles the data breach can have a significant, positive impact on customer attrition and brand perception over time.
A key lesson learned from companies that have handled a data breach effectively is that there is a large gap between what companies are required to do, and what they should do to retain customers and their revenue.
Below are some key takeaways that businesses can do to help prevent customer loss after a breach:
- Timely notifications. Long delays can be perceived by customers as you are hiding something and/or they are not important. Strive to notify as quickly as possible with whatever information you can share at the time.
- Communicate. Transparent, honest and sincere communication both internally and externally is critical. Customers want to see an organization take ownership of the breach, explain what happened, how the event could affect operations, how the problem is being fixed, and how the organization will support its customers going forward.
- Trustworthiness. Developing trust by taking full responsibility is an effective approach to crisis management and will benefit the brand in the long term. Remember, the quality of information provided will be an important determinate in a customer’s decision to stay. Studies have found unbelievable or misleading statements, that fail to reduce fears, even if factual, can be harmful to the brand. Notification letters and public communication about the breach are crucial in determining customers’ reactions.
- Educate. Provide customers with Explain what is being done to mitigate damages and remediate the problems, define the customers’ next steps they can or need to take, offer key information, support phone numbers, websites resources, free credit monitoring etc. At little or no cost, an organization can provide real educational value and be perceived as a trusted resource.
- Consider offering free or subsidized monitoring, threat alerts or breach protection services. Over the last few years, offering identity protection services have proven to be an effective strategy for customer retention. These products are excellent for breaches that impact personal information that could lead to identity theft. New products such as CyberSafe (www.cybersafeprotect.com) provide affordable cyber threat intelligence, legal protections and breach reimbursement coverage. These products are well-suited for business to business companies where protecting the customers’ organization is the priority. Check with your cyber insurance provider to see if they cover the cost of post-breach services. It’s possible that the services are covered under your insurance policy. If they are not, in many cases, offering such services is more affordable than new customer acquisition strategies.
A customer-centric response approach
To prevent significant customer attrition following a data breach, it’s critical that you notify your customers in a timely fashion, be transparent and with as much detail as possible. Provide useful information designed to educate the customer and, if appropriate and affordable, offer free or discounted services designed to either protect customers’ identity or their organization (B2B businesses).
This customer-centric approach to breach response will help you prevent costly customer churn and, in turn, minimize revenue loss.