Throwing money at data breach may make it worse

December 22, 2014, University of Arkansas

Information systems researchers at the University of Arkansas, who studied the effect of two compensation strategies used by Target in reaction to a large-scale data breach that affected more than 70 million customers, have found that overcompensation of affected customers may only raise suspicions rather than satisfy customers' sense of justice.

The researchers have developed a model that organizations can use to address and respond to large-scale data breaches and manage customer outcomes.

"Our findings demonstrate that firms should carefully consider response strategies and associated investments to a large-scale data breach," said Viswanath Venkatesh, Distinguished Professor in the Sam M. Walton College of Business. "Despite the high costs of compensating all customers, managers may be tempted to solve the problem by 'throwing money at it' due to pressure from dissatisfied customers, widespread media attention and competitors' reactions to previous data breaches.

"Our findings emphasize that such a strategy may in fact be problematic."

Venkatesh and Hartmut Hoehle, assistant professor of , conducted a longitudinal field study investigating Target's large-scale in December 2013. They collected 338 responses from individuals who participated in two rounds of surveys, one taken immediately after the breach occurred and another after reparations had been made. The surveys asked customers about their experiences and expectations for compensation.

Venkatesh and Hoehle found that Target customers reacted favorably to a 10-percent discount on purchases. Focusing on three critical outcomes – continued shopping intentions, positive word-of-mouth, and online complaints – the researchers' model showed this form of compensation effectively restored justice perceptions, which had positive effect on customer sentiment.

Another Target strategy – free credit monitoring for affected customers – received mixed reactions. Many customers disliked this strategy, regarding extended periods of free credit monitoring as overcompensation and risking the perception that there was more to the breach than the company communicated.

"Overcompensated customers may feel that the breached organization is not transparent and respectful in its interaction with customers, which leads to low perceptions of justice and poor sentiment," said Venkatesh.

The study follows a spate of data breaches experienced by large retail firms, such as Home Depot, Sony and eBay, that, in addition to Target, use so-called "big data" and analytics to better serve customers and drive sales performance. Most of these data are recorded at the point-of-sale transactions within the stores.

Academic research has begun to explore the benefits of and analytical techniques, but so far neither academic nor industry experts have focused on the organizational challenges, such as large-scale data breaches. This study is one of the first to develop and validate a model based on customer reactions to large-scale data breaches. Experts agree such breaches cannot be entirely avoided through technological and managerial measures.

The study has been submitted for publication and is under review.

Explore further: Staples: Customer data exposed in security breach

Related Stories

Bebe discloses data breach

December 5, 2014

(AP)—Bebe stores Inc. said Friday that it recently detected suspicious activity on computers that run the payment processing system used for its stores, making it the latest company to disclose a data breach.

Target offers credit monitoring after data breach

January 24, 2014

Target Corp. is offering some of its Canadian customers a year of free credit monitoring after a massive security breach at its U.S. stores put confidential details into the hands of thieves.

Recommended for you

2 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

Williamson2703
not rated yet Dec 23, 2014
Interesting information, Companies should proactively assess cybersecurity risks and effectively respond to an incident are best able to mitigate the most common treats to its applications. I work for McGladrey and there is a whitepaper on our website it offers good information on the above discussed topic readers will find it helpful. bit.ly/mcgldryinfosec2
kochevnik
not rated yet Dec 23, 2014
NSA paid RSA corporation to patch in NSA's BeSafe code to build back door into RSA encryption. Any crackers can exploit these weaknesses and gain entry. USA concerns about security is false pretense. They will always weaken security so they can spy. Control is all they care about, regardless of the consequences

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.