By Martin H. Bosworth
ConsumerAffairs.com
April 17, 2007
The idea of refusing to shop at a retailer or merchant that has been hit with a data breach seems to be common sense. But although customers say they will take their business elsewhere after an exposure of personal information, it's far from clear whether they actually do so.
Seventy-seven percent of respondents said that they would take their business elsewhere, and 85 percent said they would bring more business to stores that protected their personal information, while 63 percent believed that merchants and retailers were the "weak link" in the information security chain, rather than credit card processors or banks.
"Consumers are jumpy, and have served notice that they will steer profits to companies they perceive as security leaders," Javelin president James Van Dyke said in a statement. "Merchants, payments companies and technology vendors should view PCI differently, from its ability to affect relationships and purchases and not just fines or fraud losses."
Javelin recently published a study claiming that losses from identity theft and fraud were on the decline -- a finding that was contradicted by information from the Federal Trade Commission and rival research firm Gartner. Both claimed that identity theft was actually on an upswing.
Another Javelin study found that the majority of identifiable identity theft crimes took place offline, rather than online, and usually involved stolen or lost physical items such as wallets or checkbooks.
TJX Bucks The Trend
The company at the heart of the biggest known data breach ever, TJX Inc., also contradicted Javelin's findings by posting strong sales numbers for the first months of 2007 and well as an increased stock price.
TJX posted sales of $1.7 billion for April 2007, an 11 percent increase over the previous year. The company also saw a 6 percent month-by-month sales increase from March 2007, and an overall 9 percent sales increase for the nine weeks of 2007. TJX President Carol Meyerowitz credited the healthy sales to "liquidity in inventories," and that the company provides "great brands, fashion and value to our customers."
Javelin analyst Mary Monahan, who authored the data breach report, said the TJX sales results pointed to "discrepancies" in consumer behavior.
"Consumers are promising to punish merchants who are lax with security on one hand, but it appears that they can't deliver on those promises because they can't differentiate who it is that's doing a better job of protecting their data," Monahan told InfoWorld.
Other analysts said that the convenience and price of discount retailers like TJX might outweigh the risks of shopping with a company that had suffered a data breach. Consumers might also be too set in their ways to change spending habits, and the threat of a data breach may not be seen as a real risk compared to the problems from switching stores.
Hidden Dangers
Data taken from the TJX breach was already tracked to several cases of fraud involving merchandise purchased at Wal-Mart stores in Florida. The thieves used the stolen information to purchase gift cards and then redeem them for high-priced goods such as plasma TVs and computers.
The data taken from the 46 million customers exposed in the TJX breach may never affect them directly, or it may affect them instantly. The information is sold and resold in the "underground economy" of black market chat rooms and bulletin boards that trade in stolen personal data. The data can be combined and mixed to create new "synthetic" identities which are harder to detect by typical fraud monitoring services.
Consumers may go months or years without noticing any kind of fraud on their accounts, until they suddenly start receiving bills in their name for services they didn't order, or they are turned down for loans or jobs due to activity pursued using their information.
