Will Consumers Punish Vendors That Suffer a Data Breach?

If a new survey from API and application protection vendor ThreatX is accurate, a majority of U.S. consumers are less likely to work with a company following a data breach. At least, they claim that they are. The ThreatX survey highlighted consumers’ evolving attitudes toward data breach concerns and their purported willingness to pay more for what they perceived as adequate protection of their personal data. I’m not so sure. Let’s have a look.

The survey polled 1,000 consumers and revealed a generational divide when it comes to holding organizations accountable for data security. According to responses to the ThreatX survey, more than half of millennials and Gen Z consumers are very likely to switch to a competing vendor following a data breach. Only 38% of Boomers and Gen Xers said the same.

Interestingly, 60% of respondents said they would even consider paying a premium to vendors if it meant ensuring that those vendors were adequately protecting their data. Yet, only 10% of consumers reported feeling protected by their vendors, with 21% saying they would switch to a competing brand following a vendor data breach.

Consumers Fear Data-Breach-Fueled Financial Harm

The report also revealed that consumers feared data breaches would create a financial burden for them. And 40% of respondents ranked financial burden as a top concern following a vendor data breach amid the ongoing recession. The survey also suggested consumers do value transparent communication around a vendor’s security practices the most, followed by the measures taken in response to a breach.

Nearly half of consumers confirmed their data had been exposed following a data breach, and 90% agreed that they’re concerned this lack of protection would negatively impact their lives.

The ThreatX survey matched the results of several other surveys that examined similar questions. For instance, a 2020 survey by Security.org found that 64% of Americans are more concerned about online privacy than they were a year prior, with 49% saying they’re much more concerned. A 2021 survey by the Ponemon Institute found that 68% of consumers said they would stop doing business with a company if it experienced a data breach that resulted in the loss of personal information.

History Suggests Consumers Say one Thing and Do Another

I do not doubt that consumers are concerned about the security of their data. Still, I doubt that the majority of consumers who claimed they would switch vendors following a data breach would actually follow through. I’ve been following the information security space for about 25 years, and if there is one thing I know about security surveys, it is that consumers rarely act in the ways they say they will. In fact, in the early 2000s, a handful of privacy startups built their companies—or I should say tried to build their companies—based on consumers’ claims that they valued privacy and would pay for it. In reality, not so much, actually.

What could be in play here is the “social desirability bias.” The social desirability bias occurs when survey respondents provide answers they believe are socially acceptable or desirable rather than their actual attitudes or behavior. This happens because people want to present themselves in a positive light when concerned about how others might perceive their answers—even when speaking with strangers. This social desirability bias often affects the accuracy and validity of survey results.

While the failure of several privacy startups in the late 1990s and early 2000s can’t be blamed entirely on their belief in consumers’ responses and their overestimation of how willing a market they had, if consumers had acted in line with their stated, desired behavior, some of these companies might have been successful. Instead, these startups showed there wasn’t a viable market then.

Consider Zero-Knowledge Systems, founded in 1997. This startup offered privacy services for internet users. The company’s flagship product, “Freedom,” enabled customers to browse the internet anonymously. However, monetization proved elusive, and the company went bankrupt in 2004. Then there was SafeWeb, founded in 1999. SafeWeb offered a service called “Anonymous Web Surfing,” which also enabled users to browse the internet anonymously. SafeWeb gained visibility but never found a steady business model and was acquired by Symantec in 2003. Finally, there was The Privacy Company. Founded in 2000, The Privacy Company offered a secure email service and a privacy-focused search engine. It shuttered in 2002.

Now, let’s look at a number of surveys from roughly that same era. There is a 2002 survey by the Ponemon Institute found that 72% of respondents were willing to pay for privacy services that would help protect their personal information. A 2003 survey by TRUSTe found 80% of respondents were willing to pay for privacy services, such as secure email or anonymous browsing. Finally, a 2004 survey by the Yankee Group found that 56% of respondents were willing to pay for privacy services. Despite these encouraging survey results, it was undoubtedly difficult to find such attitudes reflected in consumer behavior at the time.

And there have been studies that show consumers don’t actually change their behavior after a data breach. Consider a 2019 study by researchers at Carnegie Mellon University. That survey found that while data breaches did lead to a short-term decrease in the number of people visiting breached websites, this effect was typically short-lived and consumers often returned to using the sites shortly after that.

So, the outcome appears to be little more than some customer churn.

The Stock Market: A Realistic Proxy Examining Human Behavior

The stock market is one place to look for a real-world reaction to data breaches. The stock price of companies that experience a data breach usually recovers after a breach—but the extent and speed of the recovery can vary widely depending on several factors, including the severity of the breach, the company’s response to the breach and the perceived risk to the company’s business.

Some studies have found that the stock prices of companies that experienced a data breach tend to decline in the short term as investors react to the news of the breach and the potential financial and reputational consequences. A 2018 study by Comparitech found the average stock price decline for companies that experienced a data breach was 7.27% in the first week after the breach.

However, the same study found that the stock prices of many companies tended to recover over time, with some companies returning to pre-breach levels within a few months or years.

It’s worth noting that the impact of a data breach on a company’s stock price can be challenging to predict, and there have been cases where a breach had little or no impact on the stock price or where the stock price has even increased. And there are market dynamics at play here, as well. A company that suffers a data breach during a bear market may see a more substantial decline and experience a longer recovery time. It’s all very dynamic with many factors.

Ultimately, the impact of a data breach on a company’s stock price will depend on a variety of those complex factors, and the market’s reaction may be difficult to predict or fully understand. Perhaps predicting stock impact is just like expecting how much people are actually willing to pay for improved data security or how long they’ll stay away from a vendor that suffered a breach of their data—if they do so at all.