Mandatory breach reporting leaves companies nowhere to hide as consumers threaten to walk

As fraud continues to surge during the holiday period, consumers are becoming less tolerant of companies’ inadequate data-protection practices, according to new survey findings that suggest 70 percent of consumers would stop doing business with a company following a data breach at that company.

Fully 69 percent of the more than 10,000 consumers surveyed in Gemalto’s Data Breaches and Customer Loyalty 2017 said they don’t believe businesses take the security of consumers’ data very seriously. Retailers were most at threat, with 61 percent of consumers saying they would leave a retailer after a data breach – comparable to the 59 percent the said same about banks and 58 percent, social-media companies.

The figures can only be worrying for companies that face growing scrutiny over their handling of consumers’ personally identifiable information (PII) in coming months. Not only are consumers becoming sensitised to large-scaled data breaches after mass breaches at organisations like Uber, Medicare and the Australian Broadcasting Corporation – but many are likely to be aware that upcoming Notifiable Data Breach (NDB) legislation will force Australian companies to come clean when they suffer a data breach.

Despite these pressures, many companies still aren’t updating essential security practices such as privileged-account management controls, which can track and limit employees’ use of sensitive PII.

Users are little better, according to the Gemalto figures: fully 41 percent of respondents said they do not use two-factor authentication to protect any of their social-media accounts, and 56 percent said they use the same password across all or some of their accounts.

This, despite findings that 67 percent of respondents are concerned that their PII will be stolen at some point – and that 17 percent have already been hit by fraudulent use of their PII. Yet the surveyed consumers believe companies bear two-thirds of the responsibility to protect user data – and 93 percent of consumers said they would, or would consider, taking legal action against a company that allowed their data to be breached.

There is little consolation if less-sensitive data is stolen: although two-third of Gemalto respondents said they would stop their custom of a company where financial and sensitive information were stolen, 51 percent said they would still do so where passwords were stolen – and 49 percent would leave even if only non-financial information was stolen.

Australian companies have already been warned about the potential hit on share price will have nowhere to hide once NDB provisions force them to expose incidents that could potentially open them to consumer action.

The Gemalto findings reinforce recent Centrify research that found companies with poor security exposure saw customer churn increase by 7 percent – and that a third of Australian consumers had cut their relationship with a company after a data breach.

With online shopping exacerbating security risks during the holiday season, the figures take on new currency in the wake of Jumio findings that fraud over the Black Friday-Cyber Monday period increased 182 percent from 2014 to 2016.

Cybercriminals are wasting no time in exploiting fake photos and IDs as they try to turn data breaches into fraud opportunities. Increasing targeting of consumers’ financial data is highlighting cybercriminals’ underlying efforts to monetise PII, and companies offering inadequate protections are doing little to limit that potential.

Poor protections also raise implications about the monetisation of personal information about consumers – a trend that has motivated both dark-web hackers and otherwise-legitimate businesses to straddle the line between privacy and exploitation.

Concerns about the integrity of data-collection schemes have led no less than United Nations special rapporteur Joe Cannataci to warn about the unfettered collection and monetisation of personal data, with a report delivered to the UN General Assembly warning of a vacuum in international law around online surveillance and privacy. Comment on that report is open through March, when an international conference will be held in Australia to discuss its preliminary conclusions.