After a Data Breach, How Should Companies Respond?

Each year, more companies experience data breaches. The costs are high. Business operations can be interrupted. Customers may leave. And IT security upgrades are often necessary. In the United States, the average cost of a single data breach is $9.36 million. 

Varun Grover, Distinguished Professor at the Sam M. Walton College of Business, recently had his own personal information exposed four times in data breaches. 

"These are reputable companies. They apologized. But my data is out there, and it's a little concerning," Grover said. 

As a professor of information systems, the experience made Grover wonder how effectively companies react to data breaches. 

Which responses are most likely to retain customers? Which ones satisfy investors? How quickly should a company acknowledge a theft of data? Does each situation require a unique plan? And could companies find less expensive strategies that still address the concerns of customers and investors? 

Grover, who holds the George M. and Boyce W. Billingsley Endowed Chair in Information Systems, published his answers to those questions in the Journal of Management Information Systems. His co-author is Hamid Reza Nikkhah, a U of A graduate student at the time of the research and now an assistant professor at the University of Nevada, Las Vegas. 

WHAT CONSUMERS REALLY WANT 

For the study, the researchers created hypothetical data-breach scenarios involving well-known companies. They then surveyed nearly 1,000 adults to determine which responses would prompt them to switch to another company. The researchers also examined both stock performance and consumer behavior following actual data breaches. 

According to the research, customers expect prompt disclosure of a data breach. And they want to hear it directly from the company. When customers learn about it on the internet or in the news, they often assume either that the company was unaware of the breach or that it knew and attempted to cover up the incident. 

Investors were more concerned about large data breaches that exposed many records, as this could lead to a higher loss of customers. The customers themselves, surprisingly, did not care whether the unauthorized disclosure of data was large or small. 

After a breach, most companies add new security measures to protect consumers' data in the future. Those actions, however, do not affect consumers' opinions about the company. 

"Just corrective action itself is not effective," Grover said. "That's the bare bones expectation." 

What does matter to consumers is an apology. Companies often offer their affected customers credit monitoring or identify theft prevention services after a data breach. The U of A researchers found that an apology alone was sufficient, and additional compensation did not alter consumers' attitudes towards the company. 

NO END IN SIGHT 

"It's almost inevitable that you're going to see more data breaches," Grover said. 

Every company should expect to suffer a data breach at some point, Grover said. They should have a crisis management plan ready in advance. 

The U of A research points the way toward the most effective response: acknowledge the breach quickly and apologize to the customers. The research also shows that companies can reduce the cost of data breaches by forgoing compensation that has little impact on customer attitudes. 

"This is a problem that has been increasing, and we're not going to have any magic formula to fix it. It's a battle between the black hats and the white hats," he said.