SAN FRANCISCO -- A survey of card data security breach victims suggests that implementing a strong data security program, even after a breach has occurred, may be the most important thing credit unions can do after a breach.
Javelin Strategy and Research conducted a survey of 400 victims of data security breaches in May 2008 on behalf of Debix, an identity protection firm.
The consumer survey on data breach notification, based on a survey of 400 data breach victims conducted by Javelin Strategy and Research in May 2008, found that fully 40% of those surveyed said that the experience of a data breach changed their relationship with that institution or business.
It gets worse as well. An average of 55% of victims reported trusting the affected organization less and 30% said they vowed never again to purchase goods or services from that organization or business.
On a more positive note, fully 55% reported being satisfied with the fraud protection solution they were offered after the breach, though a greater percentage preferred solutions that prevented future data breaches over those that detect fraud after it occurs.
"When data breaches occur, victims can react strongly and disapprovingly, as evidenced by the data," Javelin wrote. "Customer trust is severely impacted by data loss incidents, with 55% of breach victims expressing diminished confidence in the breached organization's ability to protect and manage their personal data. This decrease in trust has serious implications for a company's brand, reputation, customer relationships and overall business."
The level of dissatisfaction can diminish even long-standing relationships, with 37% of breach victims interviewed saying they would cut back on the use of the institution's products or services after a breach, even if they continued to maintain a relationship.
Given the high degree of negative effects, Javelin pointed to data in the survey suggesting that a strong response from the institution toward meeting the needs of consumers can go a long way to helping mend the relationship.
In order to mend the breach as much as possible, Javelin said institutions suffering breaches should offer the protection solution in a pro-active way, not waiting for the consumer to ask for it but instead offering it up front.
Consumers are steadily becoming more inclined to expect such an offering, with 36% of the breach victims reporting they had been offered some measure of identity protection after the breach.
"While notification allows the consumer to take protective action and to monitor their accounts more closely, from a customer service perspective, it is to the advantage of the institution to be proactive and offer assistance on behalf of the customer, especially if the exposed data is highly sensitive," Javelin wrote. "Breach victims should not be obliged to ask for help in protecting their identities when the fault of the breach lies with the institution. It is the responsibility of a breached organization to go beyond basic notification and offer a solution to the problem, not just an apology."