Me, I think it’s time we get deeper into what this means.
First, the customers. Should they abandon a relationship because the organization has a security problem? To answer this, we first need to look at the type of organization. For governmental organizations, it’s very hard. They won’t let you go, and if they do, they won’t destroy
your dossier the dossier about you.
For regulated entities, they generally may not delete the information they collected for some number of years (varies, but always sufficient for them to lose control of the data again).
For unregulated entities, you can’t (in the US) ask them to delete the database record either.
So for most breaches, the only value to abandoning the relationship is to stop paying the company. Which is a reasonable bit of retribution, but doesn’t actually add to security, and may subtract from it. It could subtract because (assuming you replace the service you were getting) there’s now an additional dossier about you.
Second, what’s the discrepancy? Why do 30% of customers report having closed a relationship, but Ponemon’s own numbers show a range of 2-7%? There are three hypothesis which spring to mind.
- Consumers are confused or lying. This would only make sense if you think the American people are idiots. The sort of folks who would
think Iraq had chemical weapons in 2002buy books titled “neurosurgery for dummies.”
- Consumers are right, and closing one of several relationships. All those numbers could be right, if consumers are getting more notices than we think. This would be one of many problems with our volunteer based systems for tracking breaches.
- The discrepancy is really notices sent versus notices received. That is, people are not opening the “Dear John Doe” letters.