• Companies which refuse to brush data breaches under the rug stand a better chance of retaining consumer trust
• Having a transparent relationship with customers and a proactive solution in place goes a long way in reassuring customer concerns
• With holding and analysing customer data becoming ever more vital for business operations, it is vital for companies to continually invest in new protections

Last month, the owners of fast fashion retailer SHEIN were fined a whopping $1.9 million by the State of New York for its handling of a significant data breach it had suffered back in 2018.

Whilst the capabilities of cyber-attacks, and those behind them, often far outstrip the pace at which companies can put sufficient protections in place, in SHEIN’s case it was not that the hackers had simply been too clever for their web team to combat. According to the ruling by the Attorney General, the company had failed to put sufficient protections in place when it came to safeguarding their customers’ sensitive, personal information.

Not only that, according to reports, the company had also completely failed to notice that any data breaches had taken place – being alerted to the news via a third party some time afterwards.

From there the story only gets worse. When the discovery was made, instead of focusing on rectifying the situation for their customers, the retailer instead attempted to cover it up. From downplaying the number of customer accounts implicated (SHEIN’s initial reports stated that only 6.42 million accounts had been affected – in reality the number was 39 million), to failing to notify customers of the breach, not asking for passwords to be reset, and even lying to customers about whether their credit card information had been taken by hackers.

Unfortunately, despite the scale of both the breach, the company’s inability to handle it and the subsequent fine, it seems unlikely that SHEIN will lose much in custom moving forward. Despite a growing movement of younger consumers demanding greater ethical conduct from retailers, the lure of cheap, fast-paced and near limitless fashion is perhaps too strong for customers to look elsewhere. Indeed, in April this year SHEIN was valued at $100 billion, according to Bloomberg.

However, such a catastrophic failure to do right by consumers could prove to be the undoing of other companies.

Interestingly, according to new research from Durham University Business School, it is not the instance of a data breach itself that could cause customers to sever ties with a company, but how the company chooses to handle it.

The study, published in the International Journal of Information Management, finds that organisations which suffer breaches in which customer information is put at risk are far more likely to retain consumer trust if they are both swift and transparent in communicating the incident, and are then proactive in setting out a solution.

Co-authored by Dr Spyros Angelopoulos, alongside Robert Davison from City University of Hong Kong as well as Noury Janse, Carol Ou, and Xiaowei Zhang from Tilburg University, the study sought to better understand the actions that organisations typically take in the event of security breaches, and the subsequent reactions of consumers.

Dr Angelopoulos and his team do not state that all data breaches can be avoided – to the contrary they acknowledge that it is near-impossible for any organisation to be able to be impervious to attack. What their study focuses on instead is how companies should best handle such instances. Through their investigations, the researchers aimed to guide organisations in creating response strategies that could enable them to maintain consumers’ trust as well as protect their standing in the market.

“Data security and privacy are becoming paramount as organisations are called to steward increasingly large amounts of sensitive information about their customers,” Dr Angelopoulos says. “Concurrently, the difficulties in developing, implementing, and executing effective information security measures in conjunction with the inevitable and unforeseen security vulnerabilities, make the prevention of security breach incidents practically impossible.”

“However,” he continues, “what organisation can plan for is their response strategy when such incidents occur.”

To capture authentic consumer appraisals on how security breach incidents have been handled previously, the researchers conducted experiments and developed a conceptual model which reflected the most common forms of security breach within e-commerce, along with the typical response strategies of affected organisations.

Typical breaches included virus attacks or deliberate information theft whereas response strategies ranged from “no response” to a “moderate” or “defensive” strategy from the organisation. The researchers ran a series of simulations with study participants which replicated real-life data-breach situations in the form of anecdotes of user experiences with data breaches. From this, participants were then questioned about their perceptions as to the awareness of perceived risk for the customer and the organisation’s response.

Their investigation confirmed that the key factors for retaining consumer trust following a security breach are; the perceived risk by consumers, the severity of the breach and the response efficacy of the affected organisation. The study also revealed that the type of data placed at risk also played a key part in determining consumer response, with financial and privacy risks found to be the most influential factors in determining consumers’ intentions to return their custom to an affected organisation following a breach.

The chosen response strategy of the affected organisations, proved to be the most vital element in retaining consumer trust. Whilst it could be presumed that announcing a security breach would alarm consumers, the researchers found that by adopting a more proactive response organisations can decrease consumers’ risk perception and even positively boost their public appraisal.

Far from hiding or down playing data breaches, Dr Angelopoulos’ study shows that transparency and proactivity can be powerful tools for retaining consumer confidence. The study also shows that such confidence can be further built upon if attacks happen more than once. Another factor which was revealed to build consumers’ reassurance was historical evidence of other similarly well-handled incidents by a company. “The way in which organisations choose to conduct themselves in the aftermath can help to mitigate the ramifications for failing to adequately steward sensitive customers’ data in the first place,” Dr Angelopoulos says.

And, of course, securing consumer reassurances is an important move for any company – whether seeking to grow their operations or simply stay afloat. In an era where every service is publicly rated – and where those ratings can sink a business – public approval matters.

Of course, proactivity is only part of the solution. As data plays an increasingly vital part in how organisations operate and make decisions, the study recommends that not only more robust security measures should be put in place, but they are monitored and updated more regularly. Additionally, the study recommends that such measures should be communicated to consumers proactively to better manage their perceptions of risk.

Ultimately, burying the details and trying to maintain a perfect façade when data breaches occur is likely to do more harm than good in the long run…

… Unless you’re in the business of fast fashion it seems – in which case you can most likely distract your customers with a well-priced jumper or a flash sale.