Four recommendations to reduce abnormal churn after a data breach
Abnormal churn, defined as the loss of customers due to a data breach, is on the rise in the United States. According to the 2018 Cost of Data Breach Study by IBM and the Ponemon Institute, the United States experienced a nearly eight percent increase in abnormal churn over last year’s study.
This study revealed familiar findings:
The number of personal records stolen in the data breach drives the overall cost of the data breach. The more customers lost following the breach, the higher the average total cost of the data breach. Health, financial, pharmaceutical, service, and technology industries are the most vulnerable to abnormal churn. The more individuals who are compromised, the higher the cost of the breach. The total cost of the breach is calculated by measuring four data breach response activities: detection and escalation, post data breach response, notification, and lost business/reputation. Implementation of an incident response team is found to be the largest factor in reducing the total cost.
This study showed that if the companies could reduce abnormal churn by 25 percent, the total cost of a breach could be reduced by 20 percent or more. The 2017 Poneman Institute study described two ways to effectively reduce abnormal churn: establish a loyalty program led by senior executives prior to the breach and provide identity protection to victims of the data breach.
The research on how best to respond to a data breach is new, evolving, and unsettled science. Below, we focus on four ways an incident response team can further reduce abnormal churn and, as a result, reduce the total cost of a data breach.
Retain a company specializing in data breach review
According to the Pew Research Center, roughly half of Americans don’t trust social media sites to protect their confidential information. In the wake of material breaches, Facebook, Uber, Wells Fargo, and Google are learning what it takes to rebuild trust of both regulators and consumers. Appearing in full control of a breach maintains some customer confidence, while not being forthright with customers fuels distrust. PC Mag takes the consumer’s perspective in their list of data breach response don’ts: don’t improvise, don’t go silent, don’t make false or misleading statements, remember customer service, and don’t close incidents too soon.
The presence of unstructured data complicates some data breach responses because notification starts before taking a full account of all compromised Data Subjects. Data Subject is a term defined by the GDPR (General Data Protection Regulation) for any person residing in the EU whose personal data is being collected, held, or processed. The time and effort needed to analyze unstructured, breached data creates a level of uncertainty that can inhibit demonstrating control of the breach, communicating transparently, and managing customer perception.
Fortunately, a few vendors specializing in data breach review, data subject discovery, and entity resolution have emerged on the market and can improve the incident response team’s capabilities. Look for technologies and workflows that can process unstructured data, detect and extract data subjects and personal data, import structured entity data, and provide entity resolution. Entity resolution is the ability to link or group real-world entities, in this instance, Data Subjects. These emerging solutions are essential for developing a measured, accurate, and transparent communication plan that garners the trust of both the regulator and the consumer alike. Consider retaining a data breach review vendor during incident response planning so that sourcing and contracting are not part of the data response activities.
Notify in phases
Evolving regulation-driven privacy notification deadlines leave little time for data breach review. In fact, when data is suspected to fall under the jurisdiction of the GDPR Article 33 (1), the controller must notify the appropriate Supervisory Authority(s) within 72 hours of becoming aware of the breach. In most cases, identifying what personal data has been impacted in 72 hours is not possible and complicated by work to remediate the breach itself. GDPR Article 33 (4) anticipates this, allowing for some notification information to be provided in phases if it is not possible to provide all of the information at the same time.
Unless the breach is limited to structured data (e.g. data exposed from databases or tables), accurately determining how many victims are contained in the breach is an arduous task. It may seem that the best course would be to skip the review and notify all customers, employees, or patients, since these lists are easily produced for notification purposes. However, the Ponemon Institute's study stated that the total cost of the breach rises with the number of records breached. Assuming a total breach is assuming the highest total cost of response. Instead of notifying all customers and employees, consider notifying in the following phases to maintain transparency and to meet deadlines: 1) confirm personal data breach, 2) notify authorities, 3) notify affected individuals.
Don't over-communicate. The incident response team should be able to provide a high-level impact assessment of the breach within 72 hours of the vendor receiving the data. This may be all that is needed for initial notification to the authorities. As the review progresses, the vendor can provide a specific list of Data Subjects needed to send exacting statements and notifications. Investing resources in data breach review will likely pay off in notification and lost business/reputation savings down the line.
Compare your obligations to the Data Subject’s compromised information
Knowing one’s obligations under each privacy law is made more useful when exact information about each Data Subject who has been breached is available. Armed with a list of Data Subjects, one can defensively determine whether a person is compromised under GDPR or another regulatory regime. What may be considered a breach under one regulation may not be considered a breach under another state, federal, or international regulation. Jason Sarfati, an attorney in Washington, DC, who frequently helps companies with these issues, said, “Determining which privacy standard should be applied to each Data Subject is one of the greatest compliance challenges organizations currently face.”
“Determining which privacy standard should be applied to each Data Subject is one of the greatest compliance challenges organizations currently face.”
For example, under many state privacy regulations, an individual’s credit card number is not considered a breach of personal data unless it is accompanied by another identifying piece of information, such as a first name or initial and last name. Under GDPR, a different standard is applied. For instance, under GDPR, information is considered a breach if it is likely to impact the private life of the Data Subject. The data breach review vendor should have the capability to associate an affected individual with their compromised personal data and group individuals by similarity. By assessing each Data Subject on a case-by-case basis, the legal team may determine that the number of affected individuals is less than initially assumed, thereby reducing the probability of abnormal churn.
Customize your notifications by customer segment
In speaking with researchers, a couple of effective practices are emerging about how to notify customers in order to reduce abnormal churn. A study from 2018, The Effect of a Data Breach Announcement on Customer Behavior: Evidence from a Multichannel Retailer found that retail customers who know they have data vulnerability are at greater risk of abnormal churn or decreased spending. The co-author of the study, Ramkumar Janakiraman, stated, “Customers with low level prior experience with the retailer are more likely to really churn, while it is the loyal customers who are more likely to stick with the retailer. We do see churn, but it varies across high versus low loyal customers.”
“Customers with low level prior experience with the retailer are more likely to really churn, while it is the loyal customers who are more likely to stick with the retailer.”
Janakiraman explains that there is an opportunity for the retailer to personalize their email communications by customer segment. The retailer should be smart and use a different tone with the customers who are new to the retailer. He stated, “Part of the communication strategy is to acknowledge, of course, the breach, and then focus on what the firm is doing to make sure that they help protect the customers from any further damage or misuse of that information…focus on the positives.” To accomplish customized notifications, your data breach review solution must be able to associate the final list of Data Subjects with your list of customers and customer profiles. Janakiraman said, “There is real empirical evidence that the loyal customers are the ones who are more likely to come back to the store and are more forgiving.”
CanopyCo’s flagship application has transformed the way incident response teams, legal service providers and legal practitioners perform data breach review. Gone are the days of having to rely solely on traditional legal tools, Excel spreadsheets, custom forms, and wasting hundreds of man-hours trying to perform manual entity resolution. Emergent is purpose-built for data breach review.