topic Re: IAPP report states 80% of impacts customers would not do business with organisation in Governance, Risk, Compliance

IAPP report states 80% of impacts customers would not do business with organisation

Caute_cautim — Mon, 09 Oct 2023 10:28:57 GMT

Hi All

Very interesting report, "More than 80% of impacted consumers said they are likely to stop doing business with a company after it is the victim of a cyberattack"

The IAPP first-ever Privacy and Consumer Trust report surveyed 4,750 consumers from 19 countries (including Australia but not NZ) and is well worth reading.

https://lnkd.in/dnz7x-nW

Regards

Caute_Cautim

Re: IAPP report states 80% of impacts customers would not do business with organisation

denbesten — Thu, 23 Mar 2023 13:16:28 GMT

I suspect that has to do with how the incident response is handled.

The typical cyberattack response seems to be "oops, change your password and here are a few years of credit monitoring, on us". From the customer perspective a detective control was added but nothing to actually mitigate nor repair the damage. In short, they frame the event as them being the victim of the attack instead of their customers being the victim of the data disclosure.

Contrast this with how Tylenol handled their 1982 crisis. After a few of their capsules were discovered to contain a poison, their response was to very publicly protect their customers, advertising "don't consume our product" and voluntarily recalling their entire product line. Recovery was similarly publicly obvious - redesigning their product (capsules became caplets) and introducing the concept of tamper evident packaging to the world. Both being a defense that "makes sense" to protect against an adversary-in-the-middle again tampering with the product.

Re: IAPP report states 80% of impacts customers would not do business with organisation

Steve-Wilme — Fri, 24 Mar 2023 14:52:53 GMT

Unlike Talk Talk in the UK, who handled their breach like this:

https://ico.org.uk/about-the-ico/media-centre/talktalk-cyber-attack-how-the-ico-investigation-unfolded/

Re: IAPP report states 80% of impacts customers would not do business with organisation

JoePete — Sat, 25 Mar 2023 12:21:36 GMT

@denbesten wrote:
In short, they frame the event as them being the victim of the attack instead of their customers being the victim of the data disclosure. Contrast this with how Tylenol handled their 1982 crisis.

Great observation and reference. A good milestone case regarding customer data was back in 2004 when a former AOL employee stole and sold the database to a spammer. The crime the individual was charged with basically amounted to theft of corporate data. The problem wasn't that 30 million people had now been subjected to the annoyances of spam; It was that AOL didn't get paid for it. AOL already traded and sold its customer database at will. It was essentially a marketing company that also sold online access.

While we have progressed in the US from that time (mostly due to state laws), fundamentally, we still do not own our own data.