The evidence that a data breach can lead to a loss of customer trust is growing. This article sets out what we know about the relationship between data breaches, trust, and corporate reputation. It follows with a case study that shows how a data breach could influence trust. In the remainder of the article, we provide best practices for organizations on how they can regain customers' trust after a data breach.
There are different definitions of the concept of trust. These definitions compromise at least two dimensions: the willingness to rely on and the evaluation of the trustee on certain attributes such as credibility and benevolence.
Past research shows that data breaches can lead to a loss of trust
Trust can be measured by using a survey that includes questions about people’s perception of an organization or can be inferred from the actual behavior of people. A study in the first category finds that hotel loyalty customers compared to non-loyalty program customers significantly reduce their trust toward hotel organizations after a data breach. Another study shows that data breaches related to e-commerce could negatively impact customer trust and online shopping intent. A study in the second category shows that a data breach in the retail sector results in a significant decrease in customer spending and customers migrating from the breached channel to the secure sales channels of the retailer. Another study reports that data breaches could negatively impact trust and online shopping intent.
Data breaches have less impact on corporate reputation
Previously, we explained that data breaches can positively and negatively impact corporate reputation. Reputation and trust are linked concepts but not precisely the same. Trust is based on the trustor’s knowledge about the trustee (i.e., the organization), while reputation is built upon third-party ratings and recommendations. For instance, you may have a negative experience with an organization that makes you distrust the organization, while the organization generally has a positive reputation. Therefore, trust is likely to be affected by a data breach much more quickly than an organization’s reputation, which is more influenced by social network effects.
Case study: Data breach at the Dutch COVID-19 testing sites
In January 2021, Dutch national news medium RTL News found that thousands of address details, telephone numbers, and citizen service numbers were sold by a few employees of the Dutch organization responsible for the COVID-19 testing sites. The fraudsters used chat services such as Telegram and Snapchat and offered large files with personal data for sale. Upon request, the fraudsters even sold personal data from specific persons (such as VIPs).
The Hague University of Applied Sciences surveyed 2031 respondents (a representative sample of the total Dutch population) between February-March 2021. The researchers asked the respondents to indicate whether the data breach affected their trust in the professionals and organization responsible for the COVID-19 test and vaccination program. They looked at three indicators of trust: (1) trust in the professionalism of the health care workers and their organization, (2) adherence to the testing and vaccination program, and (3) the degree to which people will share personal information with health care workers and their organization.
The study shows that most respondents keep trust in the professionalism of the health care professionals. In addition, most respondents indicated that they would adhere to the testing policy.
However, the data breach also had a negative impact on the trust of the respondents. About 50% stated that they have trust in the organization responsible for the corona testing sites. In addition, 18,5% of the respondents reported that they might not comply with the corona testing policy because of the data breach. The majority of respondents stated that they expect the organization to take appropriate action and indicate that they could be reluctant to share sensitive personal information in the future.
What are best practices to regain customer trust after a data breach?
Research points to the following best practices which may help organisations to regain people's trust after a data breach:
- Research has shown that meeting customers' expectations lead to the highest level of customer satisfaction which is necessary to regain trust. Therefore it suggested that companies should consider investigating customer expectations in case of a potential data breach to generate the right interplay between remorse and compensation.
- In the same study, it is reported that people expect remorse and to a lesser extent compensation from organizations that suffered a data breach.
- Similarly, another research showed that admitting responsibility, offering an apology and to a lesser extent compensation has a more positive effect on reputation recovery than the denial and diminish strategies.
- The same study found that self-disclosure positively influences media reporting and gives companies the ability to control the narrative in the news (e.g. defining the attack as highly sophisticated or unprecedented). Hence, it is better to self-disclose the data breach instead of media or other third parties disclosing it.