How Compensating Customers for Data Theft Can Make or Break Consumer Loyalty

The Sony PlayStation data breach of 2011 was the stuff of information security legends. Seventy-seven million customer records were compromised, and Sony’s costs were estimated at more than $1 billion. As compensation, Sony offered subscribers free games, free premium features, and free credit monitoring, but in the larger game of customer loyalty, was that the right move? New research by Hope Schau is helping the banking industry understand how different generations approach money issues.

How companies should treat customers following a data breach is the key question explored in new research by MIS professor Susan A. Brown in collaboration with researchers at the University of Arkansas and Australian National University.

In a study that tracked PlayStation subscriber reactions immediately following the 2011 breach and later compensation package, Brown and colleagues showed that the differences between customer expectations and what they received predictably shaped service ratings and projected loyalty

Specifically, the team found that customers whose expectations were only modestly out of sync with the actual package gave Sony higher service quality ratings and were more likely to say they’d continue using PlayStation and make future purchases. When expectations were significantly out of sync, the negative impact on customers who were disappointed was much greater than the positive impact on those who got more than they expected. “Finally, a big gap between expectations and the actual compensation made customers less likely to make future purchases – even when compensation was more than expected,” said Brown. “This is a phenomenon we chalk up to perceptions of overcompensation seeding feelings of distrust.”

As the first study of its kind – one that tracked actual expectations and reactions in real time for a real data breach – the research offers protocols for approaching related inquiries as future breaches occur. It also offers practical insights for managers, suggesting that data security plans should anticipate what to offer customers when security fails. Of particular note is the finding that overcompensation doesn’t pay off and can even negatively affect consumer thoughts and actions.

To mitigate the risk of that misstep, the researchers suggest that organizations consider measuring customers’ expectations around theoretical problems before such problems ever occur. Only by knowing in advance what consumers would expect in various scenarios could they quickly respond in ways mostly likely to maximize loyalty and do effective damage control. The study “User Compensation as a Data Breach Recovery Action: An Investigation of the Sony PlayStation Network Breach” by Brown, Sigi Goode of Australian National University and Hartmut Hoehle and Viswanath Venkatesh, both of the University of Arkansas, is forthcoming in MIS Quarterly.

Image Courtesy of Pexels.