A recent study at the University of Arkansas suggests that organizations should avoid doing too much for individuals affected by a data breach. That is, when organizations provide compensation to breach victims that exceeds the victims’ expectations it could backfire. Those victims may become suspicious, thinking the organization has something to hide, which could have an adverse impact on the victims’ willingness to continue doing business with the organization.
If you have gone through a data breach, then you know the anxiety organizations experience throughout the process. Among other things, they have to quickly secure their information systems, investigate how the incident happened, and coordinate with law enforcement and other agencies. But perhaps the biggest concern is what to do for the individuals affected by the breach beyond providing breach notification.
Except for California and Connecticut which require credit monitoring and related services be provided following breaches involving certain personal information, most state data breach notification statutes only require that affected persons be given notice of the breach. Yet, when considering their breach response, many organizations think about what to do for affected persons regardless of state law requirements. In many cases, companies wind up offering credit monitoring and related remediation services, but some companies also will provide compensation of some kind.
The study found, however, that when compensation (e.g., gifts, discounts, free memberships, etc.) exceeds what the affected persons expected would be provided, those persons are more likely to become suspicious, rather than appreciative. If affected persons are suspicious they may not only be less likely to associate with the organization or continue to buy its products or services, they may be more likely to inquire more deeply about the incident or take legal action.
When considering breach response strategies, therefore, organizations should think more carefully about the kinds of benefits or compensation to offer to persons affected by the breach. We have emphasized here many times the importance of developing a breach response plan and practicing that plan. That process should include thinking through different remediation strategies, including what, if any, credit monitoring services or compensation the organization would be prepared to offer in the event of a breach. A rash decision to provide robust compensation to affected persons, made in the heat of an actual breach, could be the wrong one, according to the study.