So I’ve long thought that consumers treat breaches as mistakes, and generally don’t care. In reading the Ponemon reports, it seems that the average customer churn is 2%. (I’ll come back to that number.) But it gets worse when you have repeated breaches.
In the CSO blog, “What, When and How to Respond to a Data Breach,” we read about a story of a third breach hitting the same customers:
“The worst thing is to have additional breaches, or to assume that additional ones will have the same impact as the first,” Ponemon warned. “One bank that we studied had a 2 percent customer churn [loss] rate in the first six months after a breach. Then there was a second breach, with some overlap with the victims of the first breach. The churn was 30 percent in the overlap population. Then about 2,000 people who were involved in those two breaches were involved in a third breach, and rate of churn among those 2,000 was nearly 100 percent.”
Makes sense that they leave, but would the bank have deleted their personal information after the breach? Law enforcement won’t let them. Banks are required to demand, and keep, all sorts of information about you. And neither banks nor law enforcement pays the price. Expect breaches to continue for as long as the rational risk tradeoffs a bank makes includes a threat of being shut down for not collecting that data.
Some other thoughts on that customer churn number. Looking at the chart in Ponemon’s 2006 study, there are only 3 breaches where it’s above 5%, and one more where it’s above 4%. There’s no statement of what average means (or medians…) There’s no comparison for customer loss rates in equivallent firms not reporting breaches. There’s no statement of the baseline levels, or of the variance. It’s marked in the graph as “abnormal churn” but we don’t know how that’s defined. Is that an extra 2% on top of 1%, or is it an extra 2% of the normal 1%?
I’d link to the study, but you have to register with PGP to get a copy. Register and download here.