Information Age has reported on a survey by Thales of UK consumers, which found that data breaches influence consumer purchases. The survey found that 84% of UK consumers would stop using a brand’s service after a data breach. Only 16% of consumers would continue using a brand if they discovered they had many data breaches. One in five consumers said they would stop using the service completely. Only 37% of consumers said they would continue using the service only if there was no alternative.

The results showed that theft of money from bank accounts was the primary concern, cited by 46% of respondents, second to identity theft (38%).

“The theft of money from someone’s bank account as the result of a breach is a very tangible fear, but realistically it is much less likely than other outcomes,” said Sol Cates, VP of technology strategy at Thales e-Security. “The implications of identity theft should pose far more of a concern.

‘They can be extremely painful and long lasting, with clean-up from incidents taking months or even years, and having long term effects on using and obtaining credit when it is really needed. Once your data is ‘in the wild’, your life is never the same.”

Forming a Data Breach Response Plan

These numbers make clear that data breaches influence consumer purchases. Companies need to have a clear data breach response plan in place in the event of a data breach. If you have been the victim of a data breach, contact our experienced data breach attorneys today or call us at 855-473-8474.

The Legal Consequences of a Data Breach for Businesses

Consumer behavior is not the only thing at stake when a company suffers a data breach. The legal exposure is substantial. Businesses face a layered web of liability under federal statutes, state data breach notification laws, and common law tort claims.

At the federal level, sector-specific statutes impose baseline obligations. The Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6809) requires financial institutions to protect customer financial information and to notify customers following certain breaches. The Health Insurance Portability and Accountability Act (HIPAA), codified at 42 U.S.C. § 1320d et seq. and implemented through regulations at 45 C.F.R. Parts 160 and 164, requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services, and in some cases the media following a breach of protected health information. Violations carry civil monetary penalties of up to $1.9 million per violation category per year.

Every U.S. state now has a data breach notification law. These laws define what constitutes personal information, set notification timelines, specify the method of notice, and in many states authorize the state attorney general to bring enforcement actions. California’s Consumer Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA) at Cal. Civ. Code §§ 1798.100–1798.199.100, allows consumers to bring private rights of action when their unencrypted personal information is subject to unauthorized access and exfiltration. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. A class action following a large-scale breach can easily produce eight-figure liability exposure before trial.

Brand Damage Translates Directly to Revenue Loss

The Thales survey data aligns with findings from multiple independent studies. The Ponemon Institute’s annual Cost of a Data Breach Report has consistently shown that companies experiencing a data breach lose measurable customer churn in the months that follow. Ponemon quantifies this as the “abnormal churn rate,” which represents customers who leave or reduce spending specifically because of the breach. Industries handling sensitive financial or health data — banking, healthcare, pharmaceutical — consistently show the highest abnormal churn rates.

The reputational damage compounds when news coverage amplifies the breach. Companies whose breaches receive widespread media coverage report lower customer acquisition rates for up to two years post-breach, even after technical remediation is complete. This downstream revenue impact is rarely reflected in initial breach cost estimates, which focus on immediate remediation and notification costs rather than the multi-year customer lifetime value implications.

What a Data Breach Response Plan Must Include

Given the consumer behavior and legal consequences described above, every business that collects personal data needs a documented, tested data breach response plan. The plan should address the following elements:

• Incident identification and containment. Establish procedures for detecting unauthorized access, isolating affected systems, and preserving forensic evidence. The longer a breach goes undetected, the larger the scope of potential liability.
• Legal counsel engagement. An attorney should be involved from the earliest stages. Attorney-client privilege can protect the forensic investigation and internal communications from later disclosure in civil litigation if structured correctly.
• Notification compliance. Identify which state notification laws apply based on the residence of affected individuals, not the state where the business is incorporated. Some states require notification within 30, 45, or 72 hours of discovery. Map the applicable laws before a breach occurs, not after.
• Consumer remediation. Offering credit monitoring services and identity theft protection can reduce both the immediate harm to consumers and the long-term churn rate documented in breach-response studies. Some courts and regulators have credited meaningful remediation in penalty determinations.
• Regulatory reporting. Certain breaches trigger mandatory reporting to the FTC, HHS, state attorneys general, or banking regulators. Missing a regulatory filing deadline adds a separate layer of penalty exposure on top of any notification violations.

How Businesses Can Limit Consumer Distrust After a Breach

Consumer trust is not automatically destroyed by a breach — it is destroyed by a poor response to a breach. Research consistently shows that consumers are more forgiving of companies that respond quickly, communicate transparently, and offer meaningful remediation. A company that notifies affected customers within days, explains clearly what happened, and provides concrete protective services retains far more customers than one that delays notification or uses vague corporate language to minimize the incident.

This is not merely a public relations point. It has legal significance. State consumer protection laws, including statutes modeled on the FTC Act’s prohibition on unfair or deceptive trade practices, treat delayed, incomplete, or misleading breach notifications as independent violations. A company that issues a notification carefully drafted to obscure the severity of the breach may face both consumer class actions and enforcement actions under deceptive practices statutes.

The companies that manage post-breach consumer relationships best are those that invested in their response infrastructure before the breach occurred. They had identified outside counsel, retained a forensic firm, and rehearsed the notification process. That preparation shows in the speed and quality of the response, which is exactly what affected consumers are measuring when they decide whether to stay or leave.

Contact a Data Breach Attorney

Revision Legal represents businesses navigating data breach response and advises companies building breach preparedness programs. If your organization has experienced a security incident or wants to audit your current response plan for legal compliance, contact the data breach attorneys at Revision Legal for a consultation.