Compensation in response to a data breach is most effective when it meets customers’ expectations for what is appropriate, according to a new study by information systems researchers at the University of Arkansas.
Such data breaches encompass privacy, information and security breaches.
In a longitudinal field study following the Sony PlayStation Network data breach in 2011, Hartmut Hoehle, assistant professor of information systems in the Sam M. Walton College of Business, and Viswanath Venkatesh, Distinguished Professor and Billingsley Chair of Information Systems, collected customer data and found that firms can alienate customers by offering too much in response to a data breach.
At the time, the Sony network breach was one of the largest data breaches ever, compromising personal and financial information of more than 77 million user accounts. The estimated direct costs of the breach exceeded $171 million.
When firms offered compensation aligned with customer expectations, the researchers found, customers responded favorably in three key customer outcomes – service quality, intentions to continue using the product or service and intentions to repurchase the product or service.
Perceived overcompensation – providing gifts or discounts that exceeded customer expectations – tended to make customers suspicious and therefore had an overall negative effect on intentions to repurchase the product or service.
“Our findings demonstrate that firms should carefully consider response strategies and associated investments to make amends following a data breach,” said Venkatesh. “Despite the high costs of compensating all customers, managers may be tempted to solve the problem by ‘throwing money at it’ due to pressure from dissatisfied customers, widespread media attention and competitors’ reactions to previous data breaches. Our findings emphasize that such a strategy may in fact be problematic.”
As data breaches become more frequent, companies such as Home Depot, eBay and Target, each of which has also suffered major breaches in the past five years, struggle to understand the appropriate compensation for customers whose personal or financial information is comprised.
Using a panel data provider, the researchers started collecting data immediately after hearing about the Sony breach and followed-up with a second survey after compensation was provided by Sony.
Examples of free compensation were a month of free network membership and free downloadable content for customers whose PlayStation network accounts were breached. Perceived compensation beyond these offerings had a negative effect on intentions to repurchase the product or service, the researchers found. Also, any compensation that did not confirm expectations had a negative effect on repurchase intentions.
“These findings, we believe, are critical because organizations can overreact and thus make customers suspicious that there may be more to the breach,” Hoehle said.
The researchers’ study, published in MIS Quarterly, is one of the first to develop a model based on customer reactions to large-scale data breaches, which experts agree cannot be entirely avoided through technological and managerial measures.
Venkatesh and Hoehle collaborated with Susan Brown of the University of Arizona and Sigi Goode Australian National University.