cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

IAPP report states 80% of impacts customers would not do business with organisation

Hi All

 

Very interesting report, "More than 80% of impacted consumers said they are likely to stop doing business with a company after it is the victim of a cyberattack"

The IAPP first-ever Privacy and Consumer Trust report surveyed 4,750 consumers from 19 countries (including Australia but not NZ) and is well worth reading.

 

https://lnkd.in/dnz7x-nW

 

Regards

 

Caute_Cautim

3 Replies
denbesten
Community Champion

I suspect that has to do with how the incident response is handled. 

 

The typical cyberattack response seems to be "oops, change your password and here are a few years of credit monitoring, on us".   From the customer perspective a detective control was added but nothing to actually mitigate nor repair the damage. In short, they frame the event as them being the victim of the attack instead of their customers being the victim of the data disclosure.

 

Contrast this with how Tylenol handled their 1982 crisis.  After a few of their capsules were discovered to contain a poison, their response was to very publicly protect their customers, advertising "don't consume our product" and voluntarily recalling their entire product line.  Recovery was similarly publicly obvious - redesigning their product (capsules became caplets) and introducing the concept of tamper evident packaging to the world.  Both being a defense that "makes sense" to protect against an adversary-in-the-middle again tampering with the product.

Steve-Wilme
Advocate II

Unlike Talk Talk in the UK, who handled their breach like this:

https://ico.org.uk/about-the-ico/media-centre/talktalk-cyber-attack-how-the-ico-investigation-unfold...

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
JoePete
Advocate I


@denbesten wrote:

In short, they frame the event as them being the victim of the attack instead of their customers being the victim of the data disclosure. Contrast this with how Tylenol handled their 1982 crisis.  


Great observation and reference. A good milestone case regarding customer data was back in 2004 when a former AOL employee stole and sold the database to a spammer. The crime the individual was charged with basically amounted to theft of corporate data. The problem wasn't that 30 million people had now been subjected to the annoyances of spam; It was that AOL didn't get paid for it. AOL already traded and sold its customer database at will. It was essentially a marketing company that also sold online access.

 

While we have progressed in the US from that time (mostly due to state laws), fundamentally, we still do not own our own data.