The payments industry may have been under the impression that the steady drip of data breaches over the past few years has left U.S. consumers in a state of battle fatigue, where the cycle of hacking, recriminations and credential reissuance has become almost circadian. Indeed, it may have been the expectation of a cowed and apathetic public that partly led to Equifax’s inept disaster response after its data breach was finally made public.
However, this industry perception of how consumers react to loss of PII and consequent identity theft may be a case of chronically misguided “group-think” that completely underestimates the degree of discomfort that consumers have with the specifics of their identities being captured and traded without their knowledge or explicit consent. The Equifax breach may well be a point of reckoning, where identity brokers and those that rely on them come to realize just how much public antipathy there is to their core business model, resulting in a drastic change in the way that PII is used in future.
Winter is coming — the post-Equifax consumer backlash
As the scope and implications of the Equifax breach continue to grow, it is hard to speculate on what the outcome and repercussions will be at this early stage. The financial services industry could be on the brink of a nuclear winter in terms of lending, as rightly concerned consumers opt to freeze their credit until there is a greater understanding of the fallout from the breach and confidence is restored in the integrity of the system.
Other causal effects are less defined. The real issue with the Equifax breach may well be the level of abstraction that this presents in terms of damage control. Consumers are used to having a breach occur with a specific company that they have interacted with, such as a retailer or a health care provider. In such a situation, they have the opportunity to vote with their feet and find an alternative provider. However, Equifax is not necessarily an entity that consumers have willingly done business with and the company is so extensive in its reach across all verticals that this may result in a more pervasive consumer distrust in digital payments of all kinds. This is bad for all merchants, but not least small businesses that may be subject to greater consumer abandonment than their larger brethren.
In an unfortunate paradox, data from Javelin Strategy and Research illustrates that smaller companies are avoided at a higher rate that larger companies post data breach despite larger retailers being a more attractive target of fraudsters. If a breach occurs at a small online merchant, 47% of consumers will avoid said merchant. If the breach should occur at a large online merchant, 39% of consumers state that they will avoid that merchant. An even greater difference in consumer attrition occurs in the physical world – if a small brick and mortar retailer suffers a data breach, 38% of consumers will avoid them, but if a breach occurs at a large physical retailer, just 20% of consumers will avoid them. Issuers and FIs fare better after a data breach, with 19% and 14% of consumers avoiding them respectively.
How consumers react post-Equifax remains to be seen. Industry wisdom points to consumers’ endemic attention deficit and this event being quickly forgotten. But this may prove to be a situation without precedent.
A massive perception gap
In a 2014 survey conducted by the Ponemon Institute, three parties were asked whether they thought that organizations have a responsibility to control access to PII: consumers, CMOs and IT practitioners. Nearly three quarters of consumers said organizations had a responsibility to take care of their credentials, but just under half of CMOs and IT practitioners believed the same. This 25+ percentage point gap in perceptions between consumers and industry may have been a warning of things to come.
Consumers are losing sleep over data privacy
A survey by AT Kearney conducted before the most recent Equifax incident takes the temperature of U.S consumer sentiment towards data breaches. Overwhelmingly, U.S. consumers are concerned about data privacy, with 50% very or extremely concerned. A further 46% are concerned or somewhat concerned, with just 4% not concerned at all.
“There's a lot of conventional wisdom that is, that consumers don't care about this. All of this shared data is just part of being a modern digital economy, this is much ado about nothing,” said Bob Hedges, lead partner in the financial institutions practice of A.T. Kearney. “But that line of argument principally comes from the digital aggregators and the digital brands, where they want that to be true. It's a big inconvenient truth that consumers actually care about these things.”
Shoppers’ biggest ID theft fears have just come true...
A 2014 survey by Experian asked consumers about the types of PII they were most concerned about losing in a data breach; including Social Security numbers, passwords / PINs, payment card data, their driver’s license number and their address. Ranking highest was their Social Security number with 78% of consumers citing this as the most stressful and potentially costly information to lose, closely followed by passwords / PINs (71%) and card data (65%).
Unfortunately, the Equifax breach is something of an ID theft Armageddon scenario for consumers since ALL of the above PII were exposed in the hack. According to IDTheftCenter.org, prior to the Equifax incident, 2017 data breaches exposed just 10.3 million Social Security numbers. Post-Equifax, that number is fifteen times greater, or 153.3 million. Given the attitudes to SSNs exhibited in the Experian survey, it is arguable that the Equifax breach may be the straw that finally breaks the camel’s back when it comes to consumer tolerance of PII brokering.
Comfort with banks
A survey from AT Kearney found consumers are most comfortable sharing personally identifiable information with their primary banks, by a wide margin over card networks. Mobile wallet providers Apple and Google fared worse, with Facebook and large retailers earning relatively low ratings from consumers.
The sky IS falling
The AT Kearney research, while well timed, is not unique in its revelations that consumers are concerned about data privacy.
They are also concerned about how their data is being shared and are altering their behaviors because of these concerns, as evidenced in a number of other studies of U.S consumer sentiment from entities such as TRUSTe, National Cyber Security Alliance and KPMG. 90% of consumers stated that they find it intrusive that firms lease their PII to advertising companies and 82% are not comfortable with the sale of data to third parties. Further, 89% of consumers state that they avoid companies that do not protect their privacy and 74% have limited their online activity in the last year due to privacy concerns. Actions clearly have consequences.
Various trade organizations sent letters to a House Financial Services Committee task force saying lawmakers should "actively discharge their oversight prerogatives" as the national bank regulator considers giving licenses to companies that do not accept deposits.
Processing transactions quickly enough to serve digital commerce comes with arduous upgrades and complicated choices, but that's only the stick. The carrot is people like faster payments, so there's plenty of opportunities to boost payment revenue.