Compensation is useful in fixing relationships with customers following a data breach but can have a negative effect if companies overcompensate, according to a study from information systems researchers at the University of Arkansas.
Following the 2011 Sony PlayStation Network data breach, compromising 77 million user accounts, UA researchers Hartmut Hoehle and Viswanath Venkatesh conducted a long-term field study looking at panel data from its customers and followed up with a second survey after compensation was provided by Sony, according to a UA press release.
The estimated direct costs of the breach exceeded $171 million, according to the release. Compensation included a month of free network membership and free downloadable content, and when compensation went beyond that or did not match customers’ expectations, customers were less likely to say they would repurchase a product or service, according to the study.
When customers deemed the compensation to be proportionate to the issue, they were more likely to say they would continue or repurchase the service and rated Sony has having higher service quality.
“Our findings demonstrate that firms should carefully consider response strategies and associated investments to make amends following a data breach,” Venkatesh said in the press release. “Despite the high costs of compensating all customers, managers may be tempted to solve the problem by ‘throwing money at it’ due to pressure from dissatisfied customers, widespread media attention and competitors’ reactions to previous data breaches. Our findings emphasize that such a strategy may in fact be problematic.”
Venkatesh is Distinguished Professor and Billingsley Chair of Information Systems, and Hoehle is an assistant professor of information systems, both in the Sam M. Walton College of Business.
“These findings, we believe, are critical because organizations can overreact and thus make customers suspicious that there may be more to the breach,” Hoehle said.
The study, published in Management Information Systems Quarterly, is one of the first to develop a model based on customer reactions to large-scale data breaches, according to the press release.
Experts agree security breaches cannot be entirely avoided through technological and managerial measures. Home Depot, eBay and Target have each had large-scale data breaches in the last five years, so it is important for companies to consider appropriate compensation for when customers’ personal or financial information is comprised, according to the researchers.
Venkatesh and Hoehle collaborated with Susan Brown of the University of Arizona and Sigi Goode Australian National University.