A new study out today confirms experts' belief that in the wake of mega breaches at retailers like Target and Home Depot, consumers are reaching a point of "breach fatigue." Conducted by Ponemon Institute on behalf of RSA, the survey report released today shows that consumers really do little to alter their shopping behavior following breaches at their favorite stores. However, their antennae are up and they do have preferences about how online retailers handle security measures such as authentication.
Among the 1,000 consumer respondents who participated in the study, half have been the victim of a breach. But a mere 14 percent reported that they care enough about privacy that a data breach at an institution they do business with would affect their shopping or banking behavior. While the majority of those polled say they do care about their privacy to some degree -- just not enough to change their online behavior -- some 23 percent said that privacy has absolutely no influence over their consumer perceptions or behaviors. Among all respondents, the increased news of retail breaches has affected the way some consumers spend their money. Approximately 49 percent reported that they are still shopping online, but they're now putting away their debit cards more often in favor of their credit cards.
"That ultimately comes down to the fact that as a consumer, do I want to be out of that money out of my checking account or would I rather deal with a statement later and fight it via my bank on my credit card?" says Ruben Rodriguez, principal product marketing manager in the fraud, risk, and intelligence group at RSA. "That has caused some hesitation and a shift in what they do, but they're still shopping and using their cards. It's just a difference between using one versus the other."
This isn't the first survey to support the theory that as news of breaches continues to saturate the headlines, consumers these days are taking a somewhat ho-hum attitude about it all. Last month, a report from Software Advice, an analyst subsidiary of Gartner, found among a pool of 4,000 consumers that only two of the top breaches in 2014 reached higher than 23 percent awareness. Also, as the year has worn on, consumers seem to have tuned out about breach news: Awareness of Target's nearly year-old breach registered higher than the bigger, more recent Home Depot breach. And the mega breach at eBay hardly affected perception at all, with 77 percent of respondents unaware it even happened.
"The results of our poll suggest that the public may already have reached 'peak breach,' responding to most of these stories with a shrug," writes Daniel Humphries, market research associate for Software Advice. "A breach has to be truly massive, and focus on credit cards over other types of data loss, for it to attain any serious level of public awareness. And even then, the Home Depot breach seems to be having less of an impact than the Target breach did -- so even the mega-breaches may be having less impact."
Nevertheless, consumers still have strong opinions about how companies should protect their information and how they should respond to breaches.
Approximately 62 percent of consumers say that they don't trust systems or websites when they only use passwords to authenticate users or when identity and authentication procedures seem too easy. And 77 percent of consumers say that when a breach occurs, they view prompt notification as important -- however, just 21 percent of consumers are very confident that retailers are actually telling them when their information has been compromised.