|
With data breaches continuing to make daily headlines, consumer awareness of identity theft and the security of their personal information will only be heightened. Publicity of large_scale breaches has caused an outrage among consumer advocacy groups as well as adversely affected organizations such as banks and issuers. Some incidents have led breached institutions to be stricken with class_action lawsuits, as was the case with TJX and more recently with the Hannaford breach.
Above any financial losses, however, is the breached institution's reputation, which is heavily dependent on the company's image, brand and its relationships with customers. While data breaches can cost tens of millions of dollars to repair because of fines, security upgrades and notification efforts, reputation is one asset that may not be guaranteed as fully restorable.
Key findings from a survey of breach victims highlight the implications that security breaches hold, in terms of consumers' expectations regarding the breached institution, financial behavior and perceptions of identity fraud:
- For 40% of consumers, security breaches changed their relationships with the affected institution or business.
- 55% of breach victims offered a fraud protection solution were satisfied with the institution's handling of the incident, almost double the 31% of those who were satisfied without being offered any kind of restitution.
- The majority of breach victims (56%) prefer a solution that prevents fraudulent use of their information, rather than detecting or resolving fraud after it has occurred.
- Confidence and buyer behavior are severely impacted by security breaches, with 55% of victims trusting the affected organization less, and 30% choosing to never purchase goods or services again from that organization. As a result, breached institutions must go beyond basic notification and take assertive action to mitigate the risk placed on victims.
- Breach victims are beginning to expect fraud protection assistance from the institution, with 36% already having been offered some kind of identity fraud protection service.
Safeguarding customer data is a basic component of good business practice, yet the number of compromised accounts due to security breaches is at an all time high. Since January 2005, nearly 227 million1 records containing sensitive information have been exposed through security breaches, and over 35 million2 Americans have had their information compromised in a data breach.
There have been more than 1,000 reported data leakage incidents since 2003.3 Data security has come under increasing scrutiny as breach incidents continue to make news headlines on a frequent basis. An environment of mistrust is becoming more entrenched among consumers, and the media's preoccupation with sensationalizing data breaches only adds fuel to the fire.
The infamous TJX and U.S. Department of Veterans Affairs breaches single_handedly placed data security as a prominent fixture in the media spotlight, even going as far as to prompt legislative action. After suffering the loss of 94 million records comprising credit and debit card numbers, as well as 455,000 addresses and social security numbers,4 TJX has spent or placed in reserve more than $256 million to repair the damage . The disclosures sparked widespread concern over the perceived lack of information security controls, prompting a sweeping overhaul of information technology (IT) development, operations and maintenance organization, as well as top_level personnel changes.
As Breach Notifications Proliferate, Consumers Begin to Question the Safety of their Data Data breaches are defined as names matched with social security numbers, driver's license or state identification numbers; or account numbers or credit or debit card numbers with passwords or codes. Thus far, 41 states have legislated differing versions of data breach notification bills, creating a patchwork of laws that makes compliance all the more complicated.
California's law SB 1386—the first notification law to go into effect on July 1, 2003—requires automatic notification whenever private data has been breached—unless the data is encrypted. More than five years after this law was enacted, not all states have followed suit. Among the 41 states that have enacted some sort of breach disclosure law, most follow the basic tenets of California's original law: companies must immediately disclose a data breach to customers, usually in writing. In California, there is a private right of action, and there are very few exemptions. Laws in other states may allow more exemptions or do not allow a private right of action. The Massachusetts law pertains to paper record as well as computer data.
|
