Shostack + Friends Blog Archive


Why Customers Don’t Flee

At Toorcon Seattle yesterday, I presented “Security Breaches are Good for You (like a root canal).” It’s similar to “Security Breaches Are Good for you” (my shmoocon talk) but added a number of points about people agreeing, but not wanting to change. “Psychology & Security & Breaches (Oh My!?)” and “When Do Customers Flee.” I also talked about TJX being well publicized as the largest breach out there, and their increased profits.

One of the questions that someone asked was “Why don’t customers flee?” I offered up several reasons for this:

  1. Customers view these things as mistakes, and are willing to accept a single mistake. (I covered this in “When do customers flee?
  2. People don’t have the opportunity to leave because they no longer have a relationship with the entity who made a mistake. For example, the USC admissions breach covered eight years of applicants.
  3. My final reason was that many breaches are by government agencies, and even regime change is unlikely to curb the state’s enthusiasm for identifiers. For example, Massachusett’s mandatory health care apparently requires a company that prints the SSN on your health card.

Frank Heidt of Leviathan offered up a fourth reason, which is the “Jack in the Box” effect. After an e. coli incident killed four customers, sales apparently went up, as people expected that they’d clean up their act.

Another questioner challenged the idea that people had heard about TJX, or associated it with TJ Max. I think the later is more likely, since the incident got major play on TV and in newspapers.

Toorcon, incidentally, was loads of fun, and props for the best badge presentation I’ve seen. (Photo by Mattdork.) The badges were in the form of a Willy Wonka candy bar, and were wrapped in a golden ticket to get you into ToorCon.Seattle 09.


7 comments on "Why Customers Don’t Flee"

  • Chris says:

    So your reasons for not fleeing are:
    1. Lack of an alternative (government)
    2. No longer a “customer” anyway (USC)
    3. ‘I forgive thee’
    How about
    “Too much of a PITA”?
    Baked into the idea that customers would flee in cases other than having a nearly identical substitute available at a very small switching cost is the notion that they are trying to send a signal, presumably in order to influence future organizational behavior.
    That’s an interesting idea. Not sure how to model it.

  • Matt says:

    Chris: Is “trying to send a signal” the same thing as “no longer trusts the entity that suffered the breach”? The latter seems to me the more immediate reason for customers fleeing.

  • Blake says:

    Sometimes customers don’t flee because they don’t actually care (much). There’s an argument to be made that disclosures actually inure consumers to security breach in that they receive some many notices and never see anything bad happen that they can’t figure out why it matters. Perhaps also all breaches are not created equally. Perhaps consumers, despite the hand-wringing, really don’t care about their credit card numbers being compromised — at least not in the same way they care about their SSN or medical records.

  • Chris says:

    I would say that when I “lose trust”, I have come to believe that the lifetime value of the “good stuff” I get from a relationship has fallen below that of my next best alternative, thanks to additional information about how the party with whom I am interacting is likely to behave.
    “Sending a signal” means I see the value dropping, but my next best choice is still inferior, but I nonetheless go there in the hope that the behavior of the one I have left will improve and I can come back and be better off overall.
    That sounds stupid, doesn’t it? Like I said, I do not know how to model it, but I think there is something there.

  • Roger says:

    The issue of why people apparently don’t flee after a data breach is puzzling, I agree. I don’t know if this will add to the discussion, but here are some random thoughts:
    In Canada, the TJ MAXX unit is called Winners that sells discounted clothing and household goods. There were apparently 250,000 Canadian card numbers stolen in the heist.
    If you take my partner and her mother (please!) as typical, the reaction was: (1) fear for the safety of their financial information; (2) when the sky didn’t fall, a tentative foray back (they know where to find things, they like the prices and the selection); and (3) when something was seen at the right price, grab it because it won’t be there next week (fear replaced by happiness).
    In this case, I think you could say that the Winners business model is sticky enough that shoppers will endure a few rough spots in the relationship.

    When talking about people’s concerns with privacy, there are usually three groups delineated: the privacy paranoid; the privacy pragmatic and the privacy don’t cares. If we assume that the privacy paranoid group probably pays by cash (can we?), then why should we be surprised at the lack of exodus? It could be argued that the people who are most likely to exit are not impacted.

    If I look at the four big breaches over the last few years: BJ’s and TJX in the retail sector; ChoicePoint; and CardSystems, I can see why the stock market impact was temporary in the first two cases rather than in the last two. The market measures the success of BJ and TJ by their merchandising abilities. CP and CS deal fundamentally with data – if anybody should know how to protect it, it should be companies like these – so problems are fundamental to their business model.
    Plus, the CP and CS errors were errors of co-mission – they both were doing things they shouldn’t (selling information to bad guys and storing prohibited information respectively); whereas the BJ and TJ errors were of omission – their internal controls were not strong enough to stop clever, determined thieves.

    Of course the other point is, maybe people who earn their living thinking about security and privacy are just not in tune with society and so are surprised when they shouldn’t be.

  • Mr. X says:

    Customers don’t flee, in part, because the _emotional_ impact of breach disclosure has jumped the shark.
    All those stories about lost tapes and laptops created sufficient background noise for people to not give a shit.
    “30,000 deaths caused every year by traffic accidents you say? Yawn.”

  • albatross says:

    Credit card and cellphone companies, among others, are infamous for sticking weird charges on bills, changing terms of agreements in fine print, and various other stuff that, if done by someone without a legal department and lobbyists, would be fraud. They don’t seem to lose much business there, either.
    Perhaps most of the alternatives appear indistinguishable, and changing is (as someone else proposed) a PITA? Perhaps most customers are too busy to bother if they don’t feel a direct impact that they can’t otherwise mitigate?

Comments are closed.