Data Breaches

Research: Standard Response in Data Breach May Not Be Best

• By Dian Schaffhauser
• 01/05/15

People whose personal information has been exposed may distrust the response of the organization where the data breach occurred if it looks like the response is too generous. In fact, two researchers from the University of Arkansas suggested, throwing money at a data breach may make the fallout worse.

Viswanath Venkatesh, a professor of information systems in the college of business, and Hartmut Hoehle, assistant professor of information systems, specifically examined two compensation strategies used by retailer Target after a data breach a year ago that affected 70 million customers. In the study the researchers collected 338 responses from affected individuals who participated in two surveys — one given immediately after the breach was publicized; and the second given after Target began its customer response efforts.

The surveys specifically asked respondents about their experiences and expectations for compensation, based on questions that examined their future shopping intentions, word of mouth and online complaints.

Free credit monitoring for a period — a typical response offered by breached organizations — was viewed as "overcompensation" for the damage done. Customers reacted more favorably to the retail chain's offer of a 10 percent discount on purchases.

As the researchers noted in a statement, the discount approach better fit what customers perceived justice should look like and had a more positive effect on their sentiment regarding the company.

"Overcompensated customers may feel that the breached organization is not transparent and respectful in its interaction with customers, which leads to low perceptions of justice and poor sentiment," said Venkatesh.

The researchers said they've developed a model that organizations can use to respond to data breaches for managing customer outcomes.

"Our findings demonstrate that firms should carefully consider response strategies and associated investments to a large-scale data breach," noted Venkatesh. "Despite the high costs of compensating all customers, managers may be tempted to solve the problem by 'throwing money at it' due to pressure from dissatisfied customers, widespread media attention and competitors' reactions to previous data breaches. Our findings emphasize that such a strategy may in fact be problematic."

The study has been submitted for publication and is currently under review.