• Everycloud
  • GUEST BLOG: Compliance3 details contact centre data breach consumer research

    960 640 Stuart O'Brien

    By Glenn Hurley, Chairman, Compliance3

    Hardly a day seems to pass when we are not made aware of yet another organisation struggling to cope with a breach of its clients or customers’ personal data.

    Whilst this will have a diverse detrimental effect on the finances of the organisations involved, it can have a dramatic personal financial and emotional impact on the people, be they customers or citizens, it touches.

    Knowing that an organisation they deal with has had a breach of their information will be an anxious moment for everyone.

    Given this, how companies and public bodies handle these pre- and immediate post-breach situations can be vital to their chances of maintaining client satisfaction and in preventing a significant loss of customers.

    This is a report based on research completed by Compliance3 over the past 18 months and is a detailed analysis of the views of ordinary people on how the organisations they interact with should behave in the pre- and post-breach environments.

    It will also cover their feelings as they themselves reveal what they are thinking as they transact the customer journey. It is intended that the principle audience for the paper will be organisations, be they an international brand, a small to medium enterprise, a public body, or a Charity.

    The heightened awareness, prompted in no small part by increased media coverage, of the likely impacts has undoubtedly fed it’s a way into the people’s consciousness in both the pre- and post-breach environments.

    Their own perceptions and emotions about how they really feel, are as significant as those they have about the companies they entrust their valuable personal and payment card data with.

    One recently reported illustration of this is mentioned in the BT research reported by Dr Nicola Millard, and included below, which shows people are increasingly worried about security over the telephone. Conversely, 28% of the market would buy more over the telephone if they knew it was secure:

    I worry about security over the phone

    UK 2015 72% | UK 2011 51%

    Buy more over the phone if payment is secure

    UK 28%

    Source: BT Research Autonomous Customer

    Evidently, how companies treat their customers’ data can significantly influence their customers’ perception of how well they do – it is both a threat to the success of organisations and, interestingly, a massive commercial opportunity if handled correctly.

    In this White Paper, we show how in the pre- and post-breach environments people are considering their situation with a mixture of head and heart.

    Emotion and logic are mixed to give a situation where, unless you understand the elements in the mix, outcomes can be difficult to predict and even harder to understand.

    For our purposes, we have equated these to a mixture of trust and confidence being expressed by our respondents in the ability of organisations and their management to protect their information.

    Trust and confidence are two complex issues, the complexity of which we cannot begin to delve into here, but the following description may help and we have paraphrased the final sentence to suit our current situation:

    Both concepts refer to expectations which may lapse into disappointments. However, trust is the means by which someone achieves confidence in something. Trust establishes confidence. The other way to achieve confidence is through control. So, you will feel confident in your friend (organisation) that he won’t betray you if you trust him (them) or/and if you control him(them).

    Michalis Pavlidis · Senior Lecturer in Information Systems Security at University of Brighton (2)

    We will continue to explore this interesting relationship, between trust and confidence in our respondents’ attitudes towards organisations, throughout the rest of the White Paper. How do our respondents balance the trust and confidence equation and are there ways organisations can increase their confidence by giving people more control?

    Accordingly, any organisation, when considering its incident response plan, needs to consider this mix. Doing so will give them the ability to diffuse a highly-charged situation and in some cases, convert a disaster in to a success – well, a partial one maybe.

    The US company Target Group, despite potentially losing the card details of up to 40 million customers, was only forecasting a 2.5% drop in sales and just for one quarter. (The Target Breach, By the Numbers, Krebs on Security, May 2014. (7)

    Whilst making several mistakes in the initial communication to customers, Target seemed to have prevented high levels of customer loss by a serious of offers including discounts, free security software etc.

    The Research

    The research, designed to probe consumer views on card payment and personal data security and fraud in contact centres, was conducted in eight phases between January 2015 and July 2016.

    To get a robust, representative spread of respondents, we used a specialist consumer engagement platform, OnePulse, that enables quick market research by sending bite – size surveys known as ‘pulses’ to its panel via a mobile app.

    We sent the ‘pulses’ to a cross section of individuals from the entire UK-based panel to secure a statistically robust and representative sample of the wider population.

    Our approached to reporting the research has been to divide into two main sections pre-and post-breach and by doing so attempt to follow a stylised customer journey.

    Within those sections, we have considered how respondents viewed organisations and then, separately, their own reactions and perceptions about both the pre- and post-breach environments.

    By arranging our reporting of the results in this way we are going to illustrate what people’s perception of the organisations responsibilities are and their ability to secure their data in the pre breach environment, and to show how people are likely to react in a post breach situation and their views on the organisation that may have let them down.

    Understanding how people view an organisation and its management responsibilities in both scenarios can be a great help in planning what to do in an incident response situation and how to get something that all too often goes badly wrong open and honest communication with those directly affected. Be it customers, members, or residents.

    Research Conclusions

    Having gathered feedback from 8,000 respondents and collecting views across more than 20 topics in relation to pre- and post-incident response, what are the main conclusions we can draw?

    Breaches, if not well handled, are arguably the biggest threat to an organisations’ reputation and brand profile. They may well have direct financial consequences for the organisation, but the collateral damage they do, if they are handled incorrectly, can and will cost organisations far more.

    • 80% feel that organisations who don’t do enough to protect payment card data should be named and shamed
    • 40% of people wouldn’t buy from a breached brand, whilst a further 25% wouldn’t buy for a while

    In managing their incident response communications organisations must be strong and factual, avoid emotion and give the people the confidence to come back through strong reasoned logic. People who feel their trust and confidence has been abused will be thinking twice about continuing their relationship with the guilty organisation.

    • If an organisation experiences a breach more than 3 in 4 of their customers/clients think they should tell all of them

    The difference between emotional response and confidence levels may well explain why companies don’t lose so many customers or organisations get the predicted levels of adverse reaction.

    Our results show the high degree of trust people have that their personal data is being well looked after by the companies they choose to do business with. This seems to persist even when they are not 100% confident that the company is always doing the right thing with their data. Other research suggests that if they are made to feel more confident and in control then the regular users could increase to closer to 30%.

    • Over 1 in 5 of respondents are regular (>2-3 times pcm) payment card users via the telephone
    • 86% have felt uncomfortable during a call, due to the amount of information they were asked to share

    Whilst they have a concern about why they are being asked to share some personal data, 65% feel comfortable when asked to do so.

    It appears that people have a high level of trust in the organisations ability to keep their information safe, in a pre-breach environment. However, we were curious about, and able to discover how they might react when they are let down following a breach.

    • Over 60% were confident their data was being stored safely and securely
    • 70% are aware of what they should do to keep their personal data safe

    In the immediate post-breach environment organisations can and do prevent serious levels of defection by having and delivering against a well thought through incident response plan. People are not overly demanding, wanting a honest and objective apology and the offer of compensation at not too extortionate levels.

    • 70% wanted an apology plus an offer of compensation

    In a post-breach scenario, and following the inevitable inquest, the market is going to be very unforgiving of any company that cannot demonstrate that it has done everything possible to protect its clients or customers’ personal data prior to the breach.

    In fact, it wouldn’t be unreasonable to predict that organisations who don’t handle their incident response well run the risk of those broken promises and trust unleashing an emotional volcano from which they may struggle to recover!

    • After a data breach 50% of males and 60% of females first response would be to call the customer helpline
    • 30% would think twice about continuing to do business with a breached organisation

    Earlier, we highlighted how organisations can, by giving their clients and customers more control, increase their level of confidence and trust in the originations they deal with. Furthermore, if organisations can do this then there are direct commercial benefits in doing so.

    Additionally, given the inevitability of organisations being breached, how they handle their incident response plans can make all the difference in preventing a bad situation from getting much worse.

    • 55% felt more confident sharing card details if the call centre agent couldn’t hear or see their card details
    • 55% would be more confident if they knew industry security standards were being met by the call centre

    Having been held in a position of value and trust, companies must demonstrate that this expression of confidence is reflected in their breach protection, compliant collection of information and in their post breach incident handling plans.

    Companies need to be aware of and take action to prevent the increasing levels of fraud that involve the telephone in all or most likely part of the process.

    • In ranking terms whilst financial loss, at 42% is still ranked highest concern over identity theft and fraud are close behind

    People are prepared to share payment card and personal information with companies because generally they trust that it will be handled securely. Furthermore, they have confidence in organisations abilities to keep that data safe and secure.

    If organisations want to improve the level of trust, then they can do by making the channels they are using more secure and giving more control over them to their clients/customers. Not forgetting that a good incident response plan backed with good accurate and timely communication can control the emotional volcano that otherwise might have been unleashed.

    Conclusion Data

    • 20% of respondents are regular (>2-3 times pcm) payment card users via the telephone
    • 70% are aware of what they should do to keep their personal data safe
    • In ranking terms whilst financial loss is still ranked highest concern over identity theft and fraud are close behind
    • More than 50% would be more confident if they knew industry security standards were being met by the call centre
    • If an organisation experiences a breach more than 75% of their customers/clients think they should tell all of them
    • 75% wanted an apology plus an offer of compensation
    • 35% often or always feel that they have been asked to share information that made them feel uncomfortable.
    • 60%+ wouldn’t do business with or would be cautious about doing business with an organisation that had had a breach.
    • 60% would contact the customer helpline is the company they dealt with had a breach
    • 80% feel that organisations who don’t do enough to protect payment card data should be named and shamed
    • 65%+ are better than somewhat confident their data is kept safe and secure.

    Download Infographic

    About Compliance3

    Compliance3 helps contact centres cost-­‐effectively achieve and maintain customer contact compliance – including GDPR and PCI DSS. In doing so, we help protect our clients’ revenues and margins and significantly reduce the risk of reputational damage and consequential revenue loss – as well as the costs associated with compliance.




    Stuart O'Brien

    All stories by: Stuart O'Brien

    Leave a Reply

    Your email address will not be published.