Losing Customer Data Means Losing Customers, Period

To see the negative financial impacts of a breach of sensitive customer data, look no further than Target Corp., where a holiday-season data breach of up to 110 million credit and debit card accounts cost the company $61 million to manage in the fourth quarter of 2013, and will almost certainly keep costing for months to come. See, “Online Extra Cost of Target Data Breach: $61M ' So Far,” e-Commerce Law & Strategy, March 2014. Target was also hit with other expenses likely tied to the breach, but less directly. For example, net income dropped 46% in the last quarter of 2013, compared with the same quarter in 2012.

A new report, “Avoidable Collateral Damage from Corporate Data Breaches: Assessing the Effects of Data Breach Remediation on Financial Institutions, Healthcare Providers and Merchants” (lite registration required), supports the idea that becoming the next Target can be toxic for companies, particularly those in the finance, health-care and retail sectors, which usually collect and store customers' personally identifiable information (PII). The study, commissioned by sensitive data management solution provider Identity Finder, with research by Javelin Strategy & Research, also finds that many companies are offering identity protection services (IDPS) to customers in the wake of breaches, but that these might not be terribly effective tools.

The report shows that a data breach can discourage a significant number of customers from coming back to the business that has been hacked. After a retail data breach, 33% of respondents said they would avoid doing business with that retailer again. This number reached 30% for customers of health-care providers and 24% for customers of financial institutions or credit card issuers. “To see that such a high percentage of consumers have such a negative reaction and would change vendors ' even health-care vendors ' so readily did come as a surprise to us,” Aaron Titus, chief privacy officer and general counsel of Identity Finder, told e-Commerce Law & Strategy's ALM sibling, CorpCounsel.com.

When Target's data breach was revealed to the public, the company decided to offer its customers a year of free credit monitoring, including identity theft insurance. Offering customers free or subsidized IDPS, according to the report, has become a standard practice for organizations that experience breaches of sensitive customer data. Some 54% of respondents whose health-care provider was breached said that they were offered these services afterward. This was somewhat higher than the 40% who said their breached financial institutions and credit card issuers offered them these options, and the 30% of retail customers who were offered IDPS.

However, the report calls into question the true effectiveness of IDPS in many cases. “ID theft protection services are not well suited to mitigate the risk to consumers in the majority of those cases,” Titus said. For example, although health-care providers captured in the survey tended to supply IDPS post breach, the report said, these services usually offer poor protection from medical identity fraud. Overall, the report concludes, the effectiveness of IDPS depends on the type of data compromised and the capabilities of the specific IDPS product.

The knowledge that IDPS might not be so beneficial hasn't stopped companies from spending money on these services and offering them up as solutions in postdata breach scenarios. This is in part, Titus said, because giving out IDPS provides good public-relations optics for the companies, and in part because these tools have, to some degree, been embraced by the legal system as remedies. “There are strong legal precedents that courts will accept ID theft protection services as adequate penance for wrongdoing or negligence or whatever the case may be,” noted Titus.

Of course, the best solution for avoiding having to pay for or solve problems created by a data breach is to prevent the breach from occurring at all. As a general counsel himself, Titus said that in-house attorneys have an important role to play in prevention. “I'd say in-house counsel should help decision makers and executives understand that sensitive information is not an asset, it is a liability,” he said. This means helping to implement and maintain what he called a “culture of data minimization,” where less-sensitive data is moving through a company's system, and the location of all sensitive data is accounted for at all times, inventoried and documented.

According to Titus, careful preparation for a potential breach is essential, which means knowing who will be on the response team beforehand, and providing quality crisis-response training to members of the organization. When a breach does occur, he advises that in-house counsel stick with their instinct to preserve the evidence. Tampering too much with technology in the aftermath of an incident, he said, could hurt an investigation down the line.

But in-house attorneys dealing with a data breach might find their legal training makes life harder when it comes to postbreach public relations. Titus pointed out that, although the level of communication with the public varies from one breach to the next, an attorney's instinct to keep clients quiet after such an event might not always be the best one for the organization. “We don't want to say anything to the public that could be construed as an admission of fault that could be used in court later,” he said. “In the meantime, however, your stock is hemorrhaging and people are leaving in droves. That risk may eclipse even the worst potential legal liability.”

Rebekah Mintzer'writes for'Corporate Counsel'magazine, an ALM sibling publication of'e-Commerce Law & Strategy.

To see the negative financial impacts of a breach of sensitive customer data, look no further than Target Corp., where a holiday-season data breach of up to 110 million credit and debit card accounts cost the company $61 million to manage in the fourth quarter of 2013, and will almost certainly keep costing for months to come. See, “Online Extra Cost of Target Data Breach: $61M ' So Far,” e-Commerce Law & Strategy, March 2014. Target was also hit with other expenses likely tied to the breach, but less directly. For example, net income dropped 46% in the last quarter of 2013, compared with the same quarter in 2012.

A new report, “Avoidable Collateral Damage from Corporate Data Breaches: Assessing the Effects of Data Breach Remediation on Financial Institutions, Healthcare Providers and Merchants” (lite registration required), supports the idea that becoming the next Target can be toxic for companies, particularly those in the finance, health-care and retail sectors, which usually collect and store customers' personally identifiable information (PII). The study, commissioned by sensitive data management solution provider Identity Finder, with research by Javelin Strategy & Research, also finds that many companies are offering identity protection services (IDPS) to customers in the wake of breaches, but that these might not be terribly effective tools.

The report shows that a data breach can discourage a significant number of customers from coming back to the business that has been hacked. After a retail data breach, 33% of respondents said they would avoid doing business with that retailer again. This number reached 30% for customers of health-care providers and 24% for customers of financial institutions or credit card issuers. “To see that such a high percentage of consumers have such a negative reaction and would change vendors ' even health-care vendors ' so readily did come as a surprise to us,” Aaron Titus, chief privacy officer and general counsel of Identity Finder, told e-Commerce Law & Strategy's ALM sibling, CorpCounsel.com.

When Target's data breach was revealed to the public, the company decided to offer its customers a year of free credit monitoring, including identity theft insurance. Offering customers free or subsidized IDPS, according to the report, has become a standard practice for organizations that experience breaches of sensitive customer data. Some 54% of respondents whose health-care provider was breached said that they were offered these services afterward. This was somewhat higher than the 40% who said their breached financial institutions and credit card issuers offered them these options, and the 30% of retail customers who were offered IDPS.

However, the report calls into question the true effectiveness of IDPS in many cases. “ID theft protection services are not well suited to mitigate the risk to consumers in the majority of those cases,” Titus said. For example, although health-care providers captured in the survey tended to supply IDPS post breach, the report said, these services usually offer poor protection from medical identity fraud. Overall, the report concludes, the effectiveness of IDPS depends on the type of data compromised and the capabilities of the specific IDPS product.

The knowledge that IDPS might not be so beneficial hasn't stopped companies from spending money on these services and offering them up as solutions in postdata breach scenarios. This is in part, Titus said, because giving out IDPS provides good public-relations optics for the companies, and in part because these tools have, to some degree, been embraced by the legal system as remedies. “There are strong legal precedents that courts will accept ID theft protection services as adequate penance for wrongdoing or negligence or whatever the case may be,” noted Titus.

Of course, the best solution for avoiding having to pay for or solve problems created by a data breach is to prevent the breach from occurring at all. As a general counsel himself, Titus said that in-house attorneys have an important role to play in prevention. “I'd say in-house counsel should help decision makers and executives understand that sensitive information is not an asset, it is a liability,” he said. This means helping to implement and maintain what he called a “culture of data minimization,” where less-sensitive data is moving through a company's system, and the location of all sensitive data is accounted for at all times, inventoried and documented.

According to Titus, careful preparation for a potential breach is essential, which means knowing who will be on the response team beforehand, and providing quality crisis-response training to members of the organization. When a breach does occur, he advises that in-house counsel stick with their instinct to preserve the evidence. Tampering too much with technology in the aftermath of an incident, he said, could hurt an investigation down the line.

But in-house attorneys dealing with a data breach might find their legal training makes life harder when it comes to postbreach public relations. Titus pointed out that, although the level of communication with the public varies from one breach to the next, an attorney's instinct to keep clients quiet after such an event might not always be the best one for the organization. “We don't want to say anything to the public that could be construed as an admission of fault that could be used in court later,” he said. “In the meantime, however, your stock is hemorrhaging and people are leaving in droves. That risk may eclipse even the worst potential legal liability.”

Rebekah Mintzer'writes for'Corporate Counsel'magazine, an ALM sibling publication of'e-Commerce Law & Strategy.