Consumers increasingly blame companies for data breaches

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

Moving forward, every company involved in a major data breach—those actually attacked, such as retailers Home Depot, Target, Goodwill and Neiman Marcus, as well as banks, healthcare, insurance and Internet Service Providers, etc.—is going to pay an even higher price when customers’ information is compromised. In fact, each high-profile hack will take its toll on the executive suite and the bottom line alike, say the results of a poll conducted by HyTrust.

The survey reveals that more than half of all respondents, 51%, will take their business elsewhere after a breach that compromises personal information, including address, social security number, and credit card details.

Almost as many, 45.6%, say the companies involved should be considered “criminally negligent’ the moment a breach occurs, with the majority also believing that all officers of a company should be held responsible.

More than a third, 34.2% believe the worst piece of information to be compromised is the social security number (SSN).

These findings are significant as the issue of data security is all over the headlines-¦ again. Just this month, retail giant Home Depot became the latest victim of a massive cyber-assault, and we now know it’s potentially the largest retail security breach in history. The company acknowledged that a long-running, sophisticated hack with intrusions starting back in April using custom-built malware led to the theft of some 56 million credit and debit card numbers. That would mean it surpasses even the staggering losses accruing from the attack on Target late in 2013.

That episode led to big changes in the executive suite; it remains to be seen what effect the newest revelations from Home Depot will have, but they are likely to be severe.

“There probably isn’t a single straw that broke the camel’s back—it’s just the sheer volume of stories about data breaches, many at companies that have developed a customer-friendly brand,” said Eric Chiu, President at HyTrust. “What this poll shows is that companies are finally, and inevitably, being held to account for their security vulnerabilities. Consumers have options, and when there are endless stories about the loss of confidential information, they’re going to other vendors. Every security breach clearly has a direct impact on operations, but there’s now clear evidence that there’s extensive brand damage as well, and the executives involved will have to pay the price.”

Each question surveyed 2,000 respondents, offering a clear view into the evolving consumer mindset regarding this complex issue. For example:

  • Once is enough: Most consumers (45.6%) blame the companies involved the moment a data breach occurs, while only 12% withhold condemnation until “it happens more than once.’ Additionally, this finger-pointing increases with age, with 34% of 25-34 year olds laying immediate blame verses 51% of those 65 and up. The more consumers make, however, the more forgiving they tend to be; the top answer for those making $150K or more shifted to “when it happens more than once.’ Blame is also more vehemently focused on a breached company, understandably, when a person’s identity is stolen or misused.
  • Income and gender matter: Higher earners are more concerned about their SSNs: 36.5% of those making $50k-$74 cite this potential theft as most serious, while that falls to 22.8% among those making $24k or less. Meanwhile, women (17.9%) are twice as likely as men (9.6%) to worry about the loss of family photos and mementos.
  • Talking with their wallets: While 51% of respondents overall say they will take their business elsewhere following a data breach, that number jumps to 60.2% among consumers in the 35-44 age range. That finding, which focuses on a key demographic, should give retailers and other potential targets significant cause for concern.
  • Chief Security Officers (CSOs / CISOs) take note: When asked who in particular should be held “ultimately accountable’ for failures in information security, 19.7% of respondents don’t make a distinction between executives with varying responsibilities, pointing the finger at “all officers’ of a company. However, men and women aged 25-34 identify CSOs as most responsible, while those in the 45-54 age bracket go easiest on them.
  • The Board gets off easy: A company’s Board of Directors is ranked as the corporate entity most “off the hook’ in terms of accountability for a data breach.