Breach Compensation: More is Not Always Better, Researchers Find

For retailers tempted to do “whatever it takes” to get loyal customers back after a data breach, a new study indicates they should consider compensation carefully. Research conducted by the University of Arkansas found when consumers’ expectations for compensation were exceeded, they became suspicious. University researchers conducted a study after the 2011 Sony PlayStation breach that compromised the personal and payment information of more than 77 million customer accounts. At the time, it was one of the largest data breaches ever.

The stakes are high for retailers. According to one recent report, retailers are at risk of losing up to 20 percent of their customers after a breach. When firms offered compensation that aligned with expectations, customers were more likely to respond favorably about the company’s quality of service and their intention to continue using the company’s product or to repurchase. Overcompensation had a negative effect on intent to repurchase.

In Sony’s case, consumers affected by the breach who were offered a month of free network membership and free downloadable content were likely to continue using the product or repurchase. Perceived compensation beyond these offerings had a negative effect on intentions to repurchase the product or service, the researchers found.

“Our findings demonstrate that firms should carefully consider response strategies and associated investments to make amends following a data breach,” said Viswanath Venkatesh, distinguished professor and Billingsley Chair of Information Systems at the University of Arkansas’ Sam M. Walton College of Business. “Despite the high costs of compensating all customers, managers may be tempted to solve the problem by ‘throwing money at it’ due to pressure from dissatisfied customers, widespread media attention and competitors’ reactions to previous data breaches. Our findings emphasize that such a strategy may in fact be problematic.”