Most Consumers Don’t Ditch Breached Companies

For companies that may have been breached, don’t fret — you may not lose your customers.

A new study shows that consumers don’t tend to cut off their business ties with those companies, even after a breach occurs. According to a new RAND Corporation study, of the quarter of American adults that reported being notified that their personal information was part of a breach, only 11 percent of those said they stopped doing business with those companies.

“While data breaches have become an alarmingly common part of American life, most people appear satisfied with companies’ responses to data breaches and few decide to take their business elsewhere,” said lead author Lillian Ablon, a cybersecurity and emerging technologies researcher at RAND, a nonprofit research organization. “It’s unclear whether this response will induce companies to improve their breach notification practices.”

Interesting enough, that same survey revealed that 44 percent of consumers said they knew of the hack before the company sent out notifications about the incident. And roughly 10 percent said they encountered the breach by discovering unauthorized activity on their own accounts.

But of those who did receive notice from the company, they appeared to be open to the services the impacted companies were offering to make up for losses. This included 62 percent of those surveyed saying they used the free credit monitoring services. Those who declined such services cited the time and effort required to implement the offers. Or in some cases, the breach victims already had similar services in place.

And in general, a majority of those surveyed (77 percent) said the company handled the post-breach response well. But at the same time, many respondents believed companies could take to better protect personal information.

“Our research shows the importance of legislation that requires companies to notify individuals when a breach occurs,” Ablon said. “Data breach notification laws empower consumers to take quick action to reduce risk and create incentives for companies to improve data security. Unfortunately, data breach laws are not uniform or even present for every state.”

The survey questioned a nationally representative sample of 2,038 adults who participate in the RAND American Life Panel, an Internet-based survey panel. The survey taken was designed to provide a snapshot of the frequency of breach notifications and the types of data compromised, as well as consumer reactions to the breach, the notification process and the affected company. The survey also examined estimates regarding the perceived personal cost of the breach, as well as suggestions regarding future notifications and data protection measures.

The median amount lost by respondents was $500. Thirty-two percent felt the breach imposed no dollar loss to them. Median dollar values were higher if health information ($1,000), social security numbers ($1,000) or other financial information ($864) was compromised. Just under 6 percent of those who had ever received a data breach notification (an estimated 6 million U.S. adults) said it cost them $10,000 or more.