During A Data Breach, Customers Will Stay—Unless You Alienate Them One At A Time
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
With all of the legal wrangling in the wake of the Hannaford data-breach appellate decision over who has to pay for what “damages” or “loss,” and to whom, one thing is lost. With today’s breach-apathetic American consumers, a multibillion-dollar breach will not likely cause merchants to lose any customers. When one of those impacted customers calls and asks for a replacement card and you say “$20, please,” that’s when you’ll lose that customer.
The appellate decision clarified the legal environment, but it merely said what self-interested chains should have been doing all along. From a merchant, vendor, supplier or technology consultants’ standpoint, the goals remain the same: Prevent the breach in the first place, and do what is reasonably necessary to control or mitigate the harm if a breach occurs.
The Hannaford court seemed to imply that what is “reasonable” depends on the nature and extent of the breach, the type of data subject to the breach, and what the bad guys do or could do with this data. In the long run, merchants suffering from data breaches need to step up to the plate and do the right thing, not simply because the law requires it (which it probably does) or because investors or consumers will punish them if they don’t (which they probably won’t) but mainly because doing the right thing ultimately protects their bottom line. Doing right by customers is both good business and good customer relations.
Forty-six states and several federal agencies have laws that mandate some form of data-breach disclosure in the event of a cyberattack. These laws have typically been perceived by merchants and companies as either a nuisance (I can’t believe we have to go to the expense of notifying customers), as punishment (hey, we are the victim here, why do we have to “fall on our swords?”) or as an encouragement to provide better security (if you know you have to disclose a breach, you are more likely to try to avoid one). As a result of these laws, merchants typically have to send out what I affectionately call “Otter Letters.” In the movie Animal House, Tim Matheson’s Eric “Otter” Stratton consoles Stephen Fursts’ Kent Dorfman after the fraternity brothers borrowed and destroyed Dorfman’s brother’s car with these words of sympathy: “You f—ed up; you trusted us.” Such is the tenor of many letters to consumers who suffer a breach, “Dear valuable customer. You f—ed up; you trusted us.”
The Hannaford case points out the true purpose of data-breach disclosure laws—to ultimately protect the merchant. Data-breach disclosure, credit-fraud watches, credit freezes and reissuances of credit cards are designed to prevent further harm in the event of certain types of data breaches. By alerting customers of the possibility of an identity fraud or identity theft, the merchant is enlisting their help in preventing such fraud by taking reasonable steps that can include things such as, say, actually looking at your credit-card bill for unauthorized charges or cancelling a potentially compromised card.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
