By Patrick G. Clifford

This past March, San Francisco-based Javelin Strategy & Research released Data Breaches and Buyer Behavior: Moving PCI Compliance from Costly Burden to Competitive Advantage, a research report with findings that should have startled any retailer.
The nationwide survey of 1,200 credit and debit cardholders found that, in cases where little is known about a data breach, half of all consumers automatically consider the merchants where they shop to be at fault.

When it comes to protecting consumer data, retailers and merchants are viewed as least secure by 63% of consumers, followed by processors (16%), card networks like Visa or MasterCard (5%), and issuers (5%).

Most distressing of all, 77% of consumers intend to stop shopping at merchants that experience a data breach.

“Consumers are jumpy, and have served notice that they will steer profits to companies they perceive as security leaders,” says Javelin President and Founder, James Van Dyke. “Merchants, payment companies, and technology vendors should view PCI [the payment card industry] differently, from its ability to affect relationships and purchases and not just fines or fraud losses.”

The Problem, Writ Small
There’s a wine-and-liquor store within two miles of my home; it’s next-door to a supermarket and close to a Wal-Mart. So, naturally, it became my convenient choice whenever I needed a bottle of Merlot or a six-pack of Guinness.

As I checked out one day, I signed my credit-card slip and handed it back to the clerk. To my astonishment, she dropped it into a mason jar, sitting right there on the counter. I could clearly see my signature and Visa number, as well as those of prior customers. It would have been no problem for anyone to create a mild diversion, swipe the jar, and leisurely review the contents at home.

I expressed my concern; the twentysomething clerk clearly did not comprehend the danger. We went back and forth fruitlessly for a few minutes, until, exasperated, she removed my receipt from the jar and stashed it somewhere beneath the counter—no doubt only until I was out of sight. Later, I called the manager, but got no sense that he even understood the issue, never mind sought to correct it.

In the end, I punished this retailer in the way we all surely know it hurts most: by taking my business elsewhere without telling why, and advising all my friends to stay away. These days, I see the store’s breathless promotions in the local paper, I see the eye-catching posters every week as I pass to buy my groceries, but I don’t bite. The owners are certainly following someone’s advice on how to delight their customers, but they have lost their chance to delight me.

The Problem, Writ Large
I’m sure we can safely assume that our readers are not keeping customer data in jars on checkout counters. However, since a customer’s perception is a retailer’s reality, my personal anecdote may be more resonant than it seems.

The Javelin report centered on the now-infamous TJX data breach—which, as we’ll see, appears to illustrate that the typical consumer does not distinguish much among the various types and causes of identification theft, whether high-tech or low.

In brief, the story is as follows: In January 2007, TJX—the owner of about 2,500 stores under the TJMaxx, Marshall’s, HomeGoods, Bob’s Stores, and A.J. Wright brands, as well as other U.S. and European chains—revealed that they had suffered a data breach. Over the following weeks, the full extent became known: At least 45.7 million credit- and debit-card numbers had been stolen from its systems, as well as driver’s license numbers and other personal data for 455,000 people.

Hackers had apparently gained access to the TJX network and loaded unauthorized software onto the computers used to process and store transaction data. Some of the data were stolen even as transactions were being approved. Others were taken from encrypted files, because the hackers had even hijacked the decryption tool.

Javelin’s findings loomed over TJX as 2007Q1 drew to a close. Presumably, 77% of TJX’s customer base would hold the company responsible and abandon the company.
On April 12, TJX announced its earnings. Sales for the five-week period ending April 7 were up 11% over the same period in 2006. Comparable store sales (i.e., stores open at least a year) were up 6%, actually beating market expectations. TJX also announced a 29% increase in its dividend. Immediately after the announcement, its share price was firmly at its pre-breach level, and at the time of this writing is up 24% for the year.

The Threat: Empty?
Javelin immediately got in front of the news, to express …well, what seemed to be simple vexation. Mary Monahan, the analyst who authored the report, addressed the discrepancies between consumers’ words and actions with a series of variously supporting and conflicting theories, including:
● consumers couldn’t deliver on their threats because they couldn’t identify who was at fault; and/or
● for every 1,000 lost or stolen records, only eight instances of actual fraud occur; and/or
● many consumers do not know the difference between data breaches (illegally accessing a database) and related data fraud (using stolen or fictional personal information)

By April 18, Javelin’s president had reluctantly recognized, “despite some very rigorous consumer research data and a thorough TJX industry case study in our most recent report, the disconnect between what consumers said they would do and what they actually did…. America keeps supporting TJX with their purchases.”

…or Growing?
Even among professionals, the TJX heist is being called “the perfect crime,” but such thinking brings false assurance.

It remains to be seen whether the last chapter in the TJX’s story is yet written. The company may manage to dodge the bullet, as the Veterans Administration and Wells Fargo did during their own respective data-loss scandals: Both were highly publicized yet (strangely) forgotten and (more strangely) forgiven.

But consider that ten or fifteen years ago few consumers knew what a credit report was; now FICO scores appear in late-night infomercials. Hundreds of formerly arcane technical terms and concepts have entered our vernacular, so that even those few people who don’t use computers understand, for example, what “login,” “upload,” and “online” mean.

As these high-profile stories accumulate, and consumers become more and more conversant in the terms and concepts of data security and privacy, the difference between “data breach” and “data fraud” will soon be dinner-table chat. At that point, a company perceived to be keeping its terabytes in a jar will lose its savviest customers overnight—and no bestseller, industry guru, or PowerPoint presentation can provide guidance in delighting a customer who has finally jumped.

Patrick Clifford is a Senior Consultant with Ogden Associates (OgdenConsultants.com). He is currently working with Ogden president Janet Murphy on the 2007 Customer Centricity Study, to be published this summer in cooperation with the National Retail Federation (NRF).