The recent data breach involving four million government workers is an unpleasant reminder of how vulnerable our digital information has become. On the consumer side, high-profile breaches at Target and Home Depot are just two examples of dozens of similar cases. Surprisingly, many retail and financial-services executives think that data breaches have become so common that consumers will quickly forget.
That’s anything but true. A survey of 1,060 U.S. consumers we conducted late last year busts five commonly held myths about data breaches – including the misconception that consumers are numb to them. Executives and investors may be quick to forget, but shoppers are not, and that could impact retailers’ profit and share price.
Myth 1: Most consumers don’t know or care about data breaches.
Retailers may be shocked to learn that nearly 70 percent of the consumers we surveyed could correctly identify companies that had been breached. And they care. When asked how reports of data breaches have impacted their shopping habits, 15 percent of respondents said they generally stopped shopping at breached retailers and 23 percent generally stopped using breached payment methods. Furthermore, our survey found that when a consumer has been a victim of a breach, his or her reactions are even more pronounced.
Myth 2: Data breaches don’t affect consumer spending.
With 15 percent of consumers planning to stop shopping at affected retailers, revenue will take a hit. Even more dramatic, among those whose personal data was breached, more than a quarter say they would stop shopping at that retailer, and nearly a third would close their account.
And it gets worse. Among consumers who would continue shopping there, almost 50 percent say they would change how they pay, with 60 percent of them planning to use more cash (in place of credit and debit). Increased use of cash matters because market data shows that those who pay with cash have average ticket sizes that can be 10 to 20 percent lower.
Myth 3: If a retailer experiences a breach, only the retailer is impacted.
The impact of a data breach stretches into the payments space. Nearly half of the consumers surveyed strongly believe that a breach is the bank’s fault as well a retailer’s. Furthermore, 43 percent say they have closed, frozen or stopped using a particular payment account after hearing about a data breach. These responses indicate that a data breach impacts the revenues, profits and reputation of the entire transaction-processing system.
Myth 4: If there is any consumer reaction to a data breach, it is short lived.
The prevailing view is that once the storm passes, business will quickly return to normal. Indeed, stocks often take a short-term hit upon the news, but eventually rebound to pre-breach levels. However, our survey results suggest that consumers have longer memories than investors.
Although Target was breached in late 2013, this breach is still in the minds of many Target customers who indicated to us in late 2014 that it would affect their spending plans during the holiday season—nearly a full year after the breach was reported.
Myth 5: Little needs to be done to bring customers back after a data breach.
Many affected retail companies and financial institutions have made little effort to win back business. They seem to believe that consumer behavior will not change. However, these executives may not truly understand what portion of their customer base they have alienated.
We believe an effective response involves working to develop a deeper understanding of customer reaction to the breach, along with a strategy to win back at-risk customers. Knowing that there are specific groups of customers who are likely to defect or pay with cash and decrease their ticket size, breached companies must identify specific segments of at-risk customers and develop highly targeted win-back strategies including special offers and communications.
In fact, knowing that a data breach is almost inevitable – it is more a question of “when” than “if” – retailers should have a recovery strategy ready. Companies of all sizes need to prepare for such an event and should not assume that customers will forgive or forget.