Millions of consumers say they've dumped companies that leaked their confidential information last year, according to estimates based on a new survey. The results come after a brutal year for privacy, with dozens of companies admitting they’ve exposed 60 million consumers’ private information.
In a nationwide tally conducted by The Ponemon Institute, about 1 in 9 Americans indicated they've received notice from a firm revealing their personal information has been lost in the last 12 months — an estimated 23 million adults. About 40 percent of them almost missed the notice, believing the letter was either junk mail or a telemarketing call, according to the survey. But the most significant finding in the study, according to author Larry Ponemon, is the customer "churn" that resulted from the disclosures. About 1 in 5 of those surveyed said they had "discontinued" their relationship with the company involved. Another 40 percent said they were thinking about doing the same thing. The study had a margin of error of plus or minus 3 percent.
"If millions of adults shifted their company loyalty after a disclosure letter, that's an eye opener," said Rob Douglas, a banking consultant who operates PrivacyToday.com.
Are you threatening me?
While consumers don't always follow through on such claims to dump their companies out of frustration, even the threat should be enough to get the attention corporate executives, who spend millions in marketing dollars to acquire new customers.
"Even if it's just 1 or 2 percent churn, it could be devastating to a company," Ponemon said.
Federal legislators are considering about a dozen proposals designed to strengthen the nation's privacy laws. Several have provisions calling for mandatory disclosure of such data leaks to consumers. Ponemon said such public notices — really public embarrassment — are the only way to ensure companies pay attention to information security.
"Compliance with regulations ... that's not a big stick," Ponemon said. "When companies start losing customers, that can have a very significant economic effect."
The study had other distressing findings. Some 49 percent of those surveyed indicated their letters or phone calls did not provide enough details about the data breach. One in five said the letter did not list what information had been stolen. About half said the letter didn't indicate what the possible consequences were, or what steps recipients could take to mitigate any consequences.
Even worse — 28 percent of respondents said the notice was essentially useless to them, indicating that they had "no idea" what the notice was for.
And in another alarming finding, 50 percent said that even after receiving notification, they are doing nothing to protect themselves from becoming victims of identity theft. About 10 percent said they are now paying for a service to monitor their credit report; 5 percent said they hired a lawyer to sue the offending company.
A right way and a wrong way
But the study, which was sponsored by privacy practice law firm White & Case, had some positive suggestions for firms that lose data. The study revealed that delivery does matter when passing along bad news.
Cold-sounding form letters are a no-no, the study suggests. On the other hand, companies that quickly come clean, write more personal letters, and follow up with phone calls and additional services face a far smaller reputation hit. In fact, 12 percent of consumers who received a notice said the experience had actually increased their trust in the company.
"Some of those companies took the lemons and made lemonade," said David Bender, who heads White & Case's privacy practice.
Among the methods that seemed to please consumers — letters with understandable language, offers of free credit monitoring services, and speed. The sooner consumers are told, the more they believe the company is acting in good faith. Among consumers who complained that their notice did not provide enough detail, was not timely, and was not believable, the probability of churn was 38 percent, the report says. On the other hand, among respondents who said that the notice provided enough details, was timely and was believable, the probability of churn was 9 percent.
"People want to feel that they matter, that they are not just a digit and a piece of data to the company," Douglas said. "If you have an action plan in place, and the consumer feels (the company) really cares, you may cement a relationship."