Survey: Security breaches could prove costly to data companies

Computerworld - Security breaches that compromise confidential customer data could prove far costlier for the companies involved than generally thought.
In a national survey of more than 1,000 victims of personal data security breaches, nearly 20% said they had already terminated their relationships with companies that maintained their data, while another 40% said they might do so. And nearly 5% of those surveyed said they had hired lawyers to seek legal recourse after their data was put at risk.
The numbers highlight growing consumer angst over personal data compromises, said David Bender co-chair of the privacy practice at White & Case LLC, a New York-based law firm that sponsored the survey. The survey was independently conducted by the Ponemon Institute LLC, a privacy think tank in Tucson, Ariz.
Ponemon's National Survey on Data Security Breach Notifications was completed in August and the results were released on Monday. The survey was conducted to find out how individuals reacted to data security breach notifications. More than 51,000 people were invited to participate in the survey via e-mail, and the results are based on the responses of 1,109 people who said they had been informed of breaches involving a compromise of their personal information.
"It was not surprising that consumers had already terminated or would want to terminate their relationships" after a data breach, Bender said. "What was surprising was the actual percentages. No one expects the consequences will be good [after a data compromise], but few realized just how serious the ramifications can be."
The timeliness, manner and effectiveness with which companies communicate the details of a security breach have a direct impact on the fallout, said Larry Ponemon, founder of the Ponemon Institute.
Companies that are straightforward in communicating what they know about a breach, as soon as they have the relevant details, are likely to see far less "consumer churn" than companies that are evasive, he said. How customers are notified of breaches also appears to be crucial, he said. Standard form letters and e-mails, for instance, are viewed far more skeptically than personalized letters and phone calls, he said.
In many cases, data breach notifications that are sent are simply overlooked or discarded as junk mail or spam.
"If a company has a breach and it wants to mitigate the potential costs and loss of customer trust they should start considering it as an important communication opportunity to prove to the customer that it cares about them," Ponemon said.
The fact that nearly 12% of survey respondents said their confidence in