At some point, US organizations that became the victims of a data breach started offering credit and other financial monitoring services for free. These were meant, among other things, as an apology to customers, patients, clients, employees, what have you for the failure to protect sensitive data. New research seems to suggest that this could leave companies more exposed to dissatisfaction. The same shows that a better approach may be to offer, if not monetary, some sort of palpable benefit.
In one of the most dumbfounding conclusions I have read, a researcher at the University of Arkansas studied two approaches to compensating individual victims of a data breach: offering a 10% discount on purchases and free credit monitoring. The former was received favorably; the latter not so much.
On the face of it, such conclusions are understandable: free credit monitoring is, for all intents and purposes, useless. It won’t prevent fraudulent use of your personal info (you’d need a credit freeze for that); notification on any irregularities is generally slow; and it’s your right to get a free one each year. A 10% discount, on the other hand, is something you don’t get every day. It’s something you can bank on.
But it’s not this line of thinking that makes the 10% discount a better offer. The reason why the discount wins over the credit monitoring is that,
Many customers disliked this strategy, regarding extended periods of free credit monitoring as overcompensation and risking the perception that there was more to the breach than the company communicated.
One wonders if a 20% discount would have also culminated in the “overcompensation” category, and raised suspicions that things are not quite right. And, what would happen at a 0% discount? Would it strongly imply that nothing is wrong?