Abnormal churn, defined as the loss of customers due to a data breach, is on the rise in the United States. According to the 2018 Cost of Data Breach Study by IBM and the Ponemon Institute, the United States experienced a nearly eight percent increase in abnormal churn over last year’s study.
This study revealed familiar findings:
This study showed that if the companies could reduce abnormal churn by 25%, the total cost of a breach could be reduced by 20% or more. The 2017 Poneman Institute study described two ways to effectively reduce abnormal churn:
The research on how best to respond to a data breach is new, evolving, and unsettled science. Below, we focus on four ways an incident response team can further reduce abnormal churn and, as a result, reduce the total cost of a data breach.
According to the Pew Research Center, roughly half of Americans don’t trust social media sites to protect their confidential information. In the wake of material breaches, Facebook, Uber, Wells Fargo, and Google are learning what it takes to rebuild trust of both regulators and consumers. Appearing in full control of a breach maintains some customer confidence, while not being forthright with customers fuels distrust. PC Mag takes the consumer’s perspective in their list of data breach response don’ts: don’t improvise, don’t go silent, don’t make false or misleading statements, remember customer service, and don’t close incidents too soon.
The presence of unstructured data complicates some data breach responses because notification starts before taking a full account of all compromised Data Subjects. Data Subject is a term defined by the GDPR (General Data Protection Regulation) for any person residing in the EU whose personal data is being collected, held, or processed. The time and effort needed to analyze unstructured, breached data creates a level of uncertainty that can inhibit demonstrating control of the breach, communicating transparently, and managing customer perception.
Fortunately, a few vendors specializing in data breach review, data subject discovery, and entity resolution have emerged on the market and can improve the incident response team’s capabilities. Look for technologies and workflows that can process unstructured data, detect and extract data subjects and personal data, import structured entity data, and provide entity resolution. Entity resolution is the ability to link or group real-world entities, in this instance, Data Subjects. These emerging solutions are essential for developing a measured, accurate, and transparent communication plan that garners the trust of both the regulator and the consumer alike. Consider retaining a data breach review vendor during incident response planning so that sourcing and contracting are not part of the data response activities.
Evolving regulation-driven privacy notification deadlines leave little time for data breach review. In fact, when data is suspected to fall under the jurisdiction of the GDPR Article 33 (1), the controller must notify the appropriate Supervisory Authority(s) within 72 hours of becoming aware of the breach. In most cases, identifying what personal data has been impacted in 72 hours is not possible and complicated by work to remediate the breach itself. GDPR Article 33 (4) anticipates this, allowing for some notification information to be provided in phases if it is not possible to provide all of the information at the same time.
Unless the breach is limited to structured data (e.g. data exposed from databases or tables), accurately determining how many victims are contained in the breach is an arduous task. It may seem that the best course would be to skip the review and notify all customers, employees, or patients, since these lists are easily produced for notification purposes. However, the Ponemon Institute's study stated that the total cost of the breach rises with the number of records breached. Assuming a total breach is assuming the highest total cost of response. Instead of notifying all customers and employees, consider notifying in the following phases to maintain transparency and to meet deadlines:
Don't over-communicate. The incident response team should be able to provide a high-level impact assessment of the breach within 72 hours of the vendor receiving the data. This may be all that is needed for initial notification to the authorities. As the review progresses, the vendor can provide a specific list of Data Subjects needed to send exacting statements and notifications. Investing resources in data breach review will likely pay off in notification and lost business/reputation savings down the line.
Knowing one’s obligations under each privacy law is made more useful when exact information about each Data Subject who has been breached is available. Armed with a list of Data Subjects, one can defensively determine whether a person is compromised under GDPR or another regulatory regime. What may be considered a breach under one regulation may not be considered a breach under another state, federal, or international regulation. Jason Sarfati, an attorney in Washington, DC, who frequently helps companies with these issues, said, “Determining which privacy standard should be applied to each Data Subject is one of the greatest compliance challenges organizations currently face.”
“Determining which privacy standard should be applied to each Data Subject is one of the greatest compliance challenges organizations currently face.”
For example, under many state privacy regulations, an individual’s credit card number is not considered a breach of personal data unless it is accompanied by another identifying piece of information, such as a first name or initial and last name. Under GDPR, a different standard is applied. For instance, under GDPR, information is considered a breach if it is likely to impact the private life of the Data Subject. The data breach review vendor should have the capability to associate an affected individual with their compromised personal data and group individuals by similarity. By assessing each Data Subject on a case-by-case basis, the legal team may determine that the number of affected individuals is less than initially assumed, thereby reducing the probability of abnormal churn.
In speaking with researchers, a couple of effective practices are emerging about how to notify customers in order to reduce abnormal churn. A study from 2018, The Effect of a Data Breach Announcement on Customer Behavior: Evidence from a Multichannel Retailer found that retail customers who know they have data vulnerability are at greater risk of abnormal churn or decreased spending. The co-author of the study, Ramkumar Janakiraman, stated, “Customers with low level prior experience with the retailer are more likely to really churn, while it is the loyal customers who are more likely to stick with the retailer. We do see churn, but it varies across high versus low loyal customers.”
“Customers with low level prior experience with the retailer are more likely to really churn, while it is the loyal customers who are more likely to stick with the retailer.”
Janakiraman explains that there is an opportunity for the retailer to personalize their email communications by customer segment. The retailer should be smart and use a different tone with the customers who are new to the retailer. He stated, “Part of the communication strategy is to acknowledge, of course, the breach, and then focus on what the firm is doing to make sure that they help protect the customers from any further damage or misuse of that information…focus on the positives.” To accomplish customized notifications, your data breach review solution must be able to associate the final list of Data Subjects with your list of customers and customer profiles. Janakiraman said, “There is real empirical evidence that the loyal customers are the ones who are more likely to come back to the store and are more forgiving.”