Compensation in response to a data breach is most effective when it meets customers’ expectations for what is appropriate, according to a new study by information systems researchers at the University of Arkansas.
Such data breaches encompass privacy, information and security breaches.
In a longitudinal field study following the Sony PlayStation Network data breach in 2011, Hartmut Hoehle, assistant professor of information systems in the Sam M. Walton College of Business in Fayetteville, Ark., and Viswanath Venkatesh, distinguished professor and Billingsley Chair of Information Systems, collected customer data and found that firms can alienate customers by offering too much in response to a data breach.
At the time, the Sony network breach was one of the largest data breaches ever, compromising personal and financial information of more than 77 million user accounts. The estimated direct costs of the breach exceeded $171 million.
When firms offered compensation aligned with customer expectations, the researchers found, customers responded favorably in three key customer outcomes – service quality, intentions to continue using the product or service, and intentions to repurchase the product or service.
Perceived overcompensation – providing gifts or discounts that exceeded customer expectations – tended to make customers suspicious and therefore had an overall negative effect on intentions to repurchase the product or service.
“Our findings demonstrate that firms should carefully consider response strategies and associated investments to make amends following a data breach,” said Venkatesh. “Despite the high costs of compensating all customers, managers may be tempted to solve the problem by ‘throwing money at it’ due to pressure from dissatisfied customers, widespread media attention and competitors’ reactions to previous data breaches. Our findings emphasize that such a strategy may in fact be problematic.”
As data breaches become more frequent, the authors say that companies such as Home Depot, eBay and Target, each of which has also suffered major breaches in the past five years, struggle to understand the appropriate compensation for customers whose personal or financial information is comprised.
Using a panel data provider, the researchers started collecting data immediately after hearing about the Sony breach and followed-up with a second survey after compensation was provided by Sony.
Examples of free compensation were a month of free network membership and free downloadable content for customers whose PlayStation network accounts were breached. Perceived compensation beyond these offerings had a negative effect on intentions to repurchase the product or service, the researchers found. Also, any compensation that did not confirm expectations had a negative effect on repurchase intentions.
“These findings, we believe, are critical because organizations can overreact and thus make customers suspicious that there may be more to the breach,” Hoehle said.
Venkatesh and Hoehle collaborated with Susan Brown of the University of Arizona and Sigi Goode Australian National University.
In 2014, Venkatesh and Hoehle reported on similar research and findings surrounding the Target data breach. That research found that Target customers reacted favorably to a 10-percent discount on purchases while another Target strategy – free credit monitoring for affected customers – received mixed reactions from consumers.
The researchers said their study, published in MIS Quarterly, is one of the first to develop a model based on customer reactions to large-scale data breaches.
Sources: Walton College of Business, MIS Quarterly
- ‘Throwing Money’ at Data Breach Victims May Not Be Best Response
- N.Y. Court: Zurich Not Obligated to Defend Sony Units in Data Breach Litigation
- Sony, Zurich Reach Settlement in PlayStation Data Breach Case in New York
- Hypothetically, Here’s How to Respond to a Data Breach
- Target’s Cyber Insurance Softens Blow of Massive Credit Breach
- Crisis Services Top Insurers’ Cyber Claims Payouts; Average Claim at $674K
- Cyber Risk Costs Not Big Enough to Spur Investment by Businesses