Consumers believe that a data breach that exposes personal information is one of the most damaging scenarios possible for an organization’s reputation. But it’s not just a company’s reputation that’s affected: a new study from KPMG [pdf] finds that a sizable share of customers would leave a retailer following a data breach.
Indeed, financial loss is a top concern in a data breach, according to senior US cybersecurity executives responding to KPMG’s survey. That financial loss can come in many forms, but the separate consumer survey conducted by KPMG suggests that customer switching can be a real problem.
In fact, almost 1 in 5 consumers surveyed said they would no longer feel comfortable shopping at a big box retailer if their personal information were compromise through a hacking, even if the retailer soon after addressed the security flaws. Even among those who would return the retailer, more than half would wait at least 3 months before doing so.
Similar reticence was observed in other business sectors:
- More than 8 in 10 would have greater wariness of buying from an automaker (72%) or never buy again from the automaker (10%) if a particular vehicle brand was hacked; and
- The vast majority would switch mobile carriers to one that guaranteed no personal data collection, in the event that their carrier disclosed that it had been tracking personal information that has now been hacked; and
- More than 7 in 10 would switch/disable cloud or social media providers if their cloud or social media account was hacked and their personal information as well as postings and photos were exposed or stolen.
Across both financial and retail sectors, it seems that consumers want timely acknowledgment of a breach and a guarantee to cover losses.
For example, the factors identified as most contributing to respondents not shopping again at a retailer that has been hacked, each cited by a majority, were:
- Lack of a solid plan to prevent future attacks (68%);
- Retailers’ refusal to cover losses (54%);
- Lack of timely acknowledgment/response (53%); and
- Informed by the press before being informed by the retailer (51%).
Likewise, if a consumer’s personal financial accounts were hacked, the following would lead them to close their accounts and move to a new institution:
- Bank’s refusal to cover losses (37%);
- A lack of timely acknowledgment/response (30%);
- Lack of a solid plan to prevent future attacks (24%);
- Learning about the incident via the press before being informed by the bank (22%); and
- All of the above (48%).
Overall, about 3 in 4 respondents expect that their institution would guarantee to cover their losses in the event of a security breach/loss of data. More than one-third would expect frequent communications and updates (38%) and a free credit report (35%), though few would count on a direct line to the institution’s security group to answer questions (13%).
In sum, it seems that in the event of a breach, customers want timely information and guarantees to cover current losses and prevent future ones.
About the Data: The KPMG study is based on 2 surveys: a corporate survey and a consumer survey.
The corporate survey was fielded among 403 senior cybersecurity executives residing in the US. Respondents were evenly split between CIO (25%), Chief Information Security Officer (25%), Chief Security Officer (25%) and CTO (25%). The industries represented include automotive (25%), financial services (25%), retail (26%) and technology (25%). All respondents come from companies with at least $100 million in revenues.
The consumer survey was conducted among 750 individuals living in the US and representing a wide and balanced range of income levels, education and ages.