skip to main content
Back to all blog posts

Posted in: Data Security/Privacy

Feb 16, 2017

The Expectation Gap: What Do Your Customers Expect When It Comes to the Security of Their Personal Information

By Amy Marcen-Gaudaur and Aaron Baer

Customers frequently disclose personal information in order to engage with online retail, banking and social media platforms. However, a recent report by Gemalto (the "Report") reveals that customer expectations regarding responsibility for personal data security place a greater burden on the organizations holding that data than might be expected.

According to the Report, customers place 70% of the responsibility for the protection and security of customer data on companies, and only 30% on themselves. At the same time, fewer than 30% of customers believe organizations are taking data security seriously, and more than 50% are "fearful" of their personal data being stolen in the future.

The Report reveals that since 2013, approximately 4.8 billion data records have been exposed due to cybersecurity breaches. A staggering 64% of those breaches were attributable to identity theft, the most prevalent type of breach. Regardless of the risks (which most are well aware of) customers still actively use online retail, banking and social media sites, and customers willingly provide personal data in the process.

Customers are reluctant to change their behaviour, despite becoming increasingly aware of the threats posed to them online. In balancing convenience and security, customers ultimately trust that companies will keep their personal data safe, regardless of whether that trust is well-founded. At the same time, customers place relatively little responsibility on themselves. More than half of the customers surveyed by Gemalto admitted to using the same password across multiple online accounts. Businesses must therefore be prepared to respond to customer expectations by inspiring confidence in their cybersecurity strategies.

What's at Risk?

For customers, the negative consequences of a data breach can be severe. Identity theft and other cybercrimes can do serious damage to a person's financial and personal wellbeing. Gemalto found that a majority of customers surveyed had been affected by a breach and experienced the fraudulent use of their financial information and personal details. More than a quarter of customers affected attributed the breach to a failure of the company's data security strategies.

For businesses, the negative consequences of a data breach can also be severe and costly on a significant scale. After discovering evidence of a cyberattack, businesses are often forced to disclose the extent of the breach and take remedial steps to repair any damage done. This process is painfully public, and the resulting negative publicity can lead to a significant loss in customer confidence, customers and profits.

According to the Report, businesses should be prepared to lose significant business following a cyberattack or data breach. The following sets out the percentage of customers who responded that they would stop using a business altogether if a data breach were to occur:

  • Retail - 60% of customers said they would stop shopping online
  • Banking - 58% of customers said they would stop banking online
  • Social media - 56% of customers said they would stop using social media

Overall, 66% of customers surveyed said they were unlikely to use a business that experienced any sort of breach involving theft of financial or other sensitive information.

Meeting Customer Expectations

With nearly six in ten customers convinced they will fall victim to a breach in their lifetime, organizations need to be prepared to meet customer expectations and inspire confidence in their ability to protect customer information. According to the Report, lack of customer confidence is directly tied to a lack of strong cybersecurity measures.

As we recently outlined in an article on TheSpotlight.ca, there are a number of strategies that organizations can implement in order to prevent data breaches. These strategies include defining cybersecurity success, pressure-testing security capabilities and investing to innovate and outmaneuver adversaries. The Report also suggests the use of solutions such as two-factor authentication and data encryption, both of which are currently underused across banking, retail and social media spaces.

The privacy and data security experts at Aird & Berlis can provide timely support and legal guidance to help your business prevent and manage data breaches and cyberattacks.

Related Categories

Related Blogs

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
New Notification Requirements for Data Breaches By Stephen Crawford Apr 13, 2018 As of November 1, 2018, if your organization suffers a data breach, new reporting requirements will be in place that may require you to notify consumers and the Privacy Commissioner of the breach – or else face a fine of up to $100,000.

Posted in: Data Security/Privacy

Insights TheSpotlight
Phishing Risk Deemed Sufficient in Alberta to Trigger “Real Risk Of Significant Harm” Threshold By Steve J. Tenai Mar 13, 2018 Since 2010, Alberta’s Personal Information Protection Act (“PIPA”) requires private sector organizations to notify the Office of the Information and Privacy Commissioner (“OIPC”) of a breach of personal information where a “reasonable person would con...

Posted in: Data Security/Privacy

Insights TheSpotlight
Cybersecurity Disclosure Guidance for Public Companies By Steve J. Tenai Mar 01, 2018 On February 21, 2018, the United States Securities and Exchange Commission issued interpretive guidance on cybersecurity disclosure obligations for public companies subject to U.S. securities laws. The Guidance underscores that public companies should inform investors about material cybersecurity...