‘Throwing Money’ at Data Breach Victims May Not Be Best Response

December 28, 2014

Offering customers discounts in future purchases and free credit monitoring —strategies used by Target after its large-scale data breach — may raise suspicions rather than satisfy customers’ sense of justice, according to researchers at the University of Arkansas.

Information systems researchers at the university studied the effect of these two compensation strategies used by Target in reaction to its data breach last December that affected more than 70 million customers. They found that while they are understandable in the wake of competitive pressures and media attention, such responses are problematic.

Viswanath Venkatesh, distinguished professor in the Sam M. Walton College of Business, and Hartmut Hoehle, assistant professor of information systems, conducted a longitudinal field study, collecting 338 responses from individuals who participated in two rounds of surveys, one taken immediately after the breach occurred and another after reparations had been made. The surveys asked customers about their experiences and expectations for compensation.

Venkatesh and Hoehle found that Target customers reacted favorably to a 10-percent discount on purchases. Focusing on three critical outcomes – continued shopping intentions, positive word-of-mouth, and online complaints – the researchers’ model showed this form of compensation effectively restored justice perceptions, which had positive effect on customer sentiment.

Another Target strategy – free credit monitoring for affected customers – received mixed reactions. Many customers disliked this strategy, regarding extended periods of free credit monitoring as over-compensation and risking the perception that there was more to the breach than the company communicated.

“Overcompensated customers may feel that the breached organization is not transparent and respectful in its interaction with customers, which leads to low perceptions of justice and poor sentiment,” said Venkatesh.

The researchers have developed a model that organizations can use to address and respond to large-scale data breaches and manage customer outcomes.

“Our findings demonstrate that firms should carefully consider response strategies and associated investments to a large-scale data breach,” said Venkatesh. “Despite the high costs of compensating all customers, managers may be tempted to solve the problem by ‘throwing money at it’ due to pressure from dissatisfied customers, widespread media attention and competitors’ reactions to previous data breaches.

“Our findings emphasize that such a strategy may in fact be problematic.”

Hypothetically, Here’s How to Respond to a Data Breach

The University of Arkansas study follows a spate of data breaches experienced by large retail firms, such as Home Depot, Sony and eBay, that, in addition to Target, use so-called “big data” and analytics to better serve customers and drive sales performance. Most of these data are recorded at the point-of-sale transactions within the stores.

Academic research has begun to explore the benefits of big data and analytical techniques, but so far neither academic nor industry experts have focused on the organizational challenges, such as large-scale data breaches. The researchers say their study is one of the first to develop a model based on customer reactions to large-scale data breaches. Experts agree such breaches cannot be entirely avoided through technological and managerial measures.

The study has been submitted for publication and is under review.

Venkatesh holds the George and Boyce Billingsley Endowed Chair in Information Systems.

Source: University of Arkansas research

Related: