Many health care organizations dread the day when a data breach occurs and they have to decide how to handle the situation both in terms of their patients whose data have been lost or stolen and the law, which imposes notification and other requirements on them. The results of a recent survey provide some wise advice for organizations that may help tamp down the negative response cast upon them once customers learn of the breach.
The purpose of the 2012 Consumer Study on Data Breach Notification, which was conducted by the Ponemon Institute for Experian Data Breach Resolution, was to understand consumers’ perceptions about the importance and value of receiving notification after their personal information had been accessed because of a data breach. One of the survey’s findings was that consumers, while concerned about the privacy and security of their personal information, did not pay much attention to whether they received any breach notifications during the year. In fact, only 708 of 2,832 (25%) respondents could definitely recall receiving a data breach notice, and 51% could not recall whether they had received a notice at all. Fifty-seven percent said they did not want to be notified unless the organization was certain of the risk.
Of those who recalled receiving the notice, 62% said that the notice was a form letter, and of those, 36% said the letter looked like junk mail. The letter, according to 72% of respondents, was a disappointment because it did not provide sufficient information about how the breach occurred, what data had been lost or stolen, what the impact on them was and how the organization would protect them from any harm. Perhaps the most disturbing finding was that more than half the consumers who received notice of the data breach said they lost trust and confidence in the organization. Fifteen percent said they would discontinue their relationships with the organization immediately, and 39% said they would consider termination.
Given the dramatic impact a data breach has on a consumer’s perception of an organization, the survey concludes, “Resources spent on personalizing the message, offering assistance to reduce the likelihood of harm, and providing specific information about the incident may help organizations avoid the risk of losing customer trust and loyalty in the aftermath of a breach.”
Where does your organization concentrate its efforts when a breach occurs…on PR damage control or on customer contact? How much information is included in the contact with the customer?