Throwing Money at Data Breach May Make It Worse

Photo Submitted

Viswanath Venkatesh, University of Arkansas.

FAYETTEVILLE, Ark. – Information systems researchers at the University of Arkansas, who studied the effect of two compensation strategies used by Target in reaction to a large-scale data breach that affected more than 70 million customers, have found that overcompensation of affected customers may only raise suspicions rather than satisfy customers’ sense of justice.

The researchers have developed a model that organizations can use to address and respond to large-scale data breaches and manage customer outcomes.

“Our findings demonstrate that firms should carefully consider response strategies and associated investments to a large-scale data breach,” said Viswanath Venkatesh, Distinguished Professor in the Sam M. Walton College of Business. “Despite the high costs of compensating all customers, managers may be tempted to solve the problem by ‘throwing money at it’ due to pressure from dissatisfied customers, widespread media attention and competitors’ reactions to previous data breaches.

“Our findings emphasize that such a strategy may in fact be problematic.”

Hartmut Hoehle

Venkatesh and Hartmut Hoehle, assistant professor of information systems, conducted a longitudinal field study investigating Target’s large-scale data breach in December 2013. They collected 338 responses from individuals who participated in two rounds of surveys, one taken immediately after the breach occurred and another after reparations had been made. The surveys asked customers about their experiences and expectations for compensation.

Venkatesh and Hoehle found that Target customers reacted favorably to a 10-percent discount on purchases. Focusing on three critical outcomes – continued shopping intentions, positive word-of-mouth, and online complaints – the researchers’ model showed this form of compensation effectively restored justice perceptions, which had positive effect on customer sentiment.

Another Target strategy – free credit monitoring for affected customers – received mixed reactions. Many customers disliked this strategy, regarding extended periods of free credit monitoring as overcompensation and risking the perception that there was more to the breach than the company communicated.

“Overcompensated customers may feel that the breached organization is not transparent and respectful in its interaction with customers, which leads to low perceptions of justice and poor sentiment,” said Venkatesh.

The study follows a spate of data breaches experienced by large retail firms, such as Home Depot, Sony and eBay, that, in addition to Target, use so-called “big data” and analytics to better serve customers and drive sales performance. Most of these data are recorded at the point-of-sale transactions within the stores.

Academic research has begun to explore the benefits of big data and analytical techniques, but so far neither academic nor industry experts have focused on the organizational challenges, such as large-scale data breaches. This study is one of the first to develop and validate a model based on customer reactions to large-scale data breaches. Experts agree such breaches cannot be entirely avoided through technological and managerial measures.

The study has been submitted for publication and is under review.

Venkatesh holds the George and Boyce Billingsley Endowed Chair in Information Systems.