mwiles-ideas.jpg

Outsourcing risk: Who pays most when customer data is breached?

What are the risks associated with outsourcing services? Associate Marketing Professor Michael Wiles and his research partners discovered that it depends on which party is at fault for the breach, and whether the employees of the outsourcing firm are productive.

First published in W. P. Carey Magazine, Spring 2015

Services outsourcing has grown rapidly since the turn of the millennium; its total value more than doubled from $46 billion in 2000 to $99 billion in 2012. It’s not hard to see why: companies that have outsourced services functions — that is, hired a service provider to perform functions like customer support, accounting and IT — have realized benefits including operational cost savings and, in some cases, higher quality service delivery.

But what about the risks associated with outsourcing services?

Associate Marketing Professor Michael Wiles, along with research partners Sachin Modi (University of Toledo), and Saurabh Mishra (McGill University) ventured to answer that question in the course of research that was published online in the Journal of Operations Management in October 2014.

Wiles and his co-authors focused their research on front-end services — business processes like customer support where the service provider has access to customer data. The researchers’ mission: understand the risks associated with services outsourcing, and uncover risk-mitigating traits among companies that outsource.

The cost of service failures

To assess one potential risk associated with outsourcing front-end services, Wiles and his co-authors posed a question: when a service failure occurs, are the consequences worse when the outsourced provider is at fault, or when the failure is the fault of the company itself? If failures are more costly when the service provider is at fault, that added cost is one risk of outsourcing.

To test their question, Wiles and his co-authors analyzed the financial consequences of one type of service failure: customer data breaches. The researchers looked at how the financial consequences of a data breach differed when the company itself was at fault, compared to when the service provider was to blame. Specifically, the researchers analyzed what happened to a company’s stock price after the company announced that a data breach had occurred.

A customer data breach is a good example of a service failure; data breaches are particularly relevant, and economically significant. The number of data breaches was 26 percent higher in 2014 than in 2013, according to the Identity Theft Resource Center. And according to a report from Intel Security Group and the Center for Strategic and International Studies, cybercrime costs the global economy more than $445 billion each year.

Wiles and his co-authors analyzed 146 customer data breaches between 2005 and 2010. Of those, 25 were breaches where the outsourced service provider was responsible. In the case of a 2007 breach, for example, Target reported “The suspicious activity was tied back to employees of a company that provides call center support services to Target National Bank, the issuer of the Target Visa Card.”

Finding #1: Service provider breaches most costly

It was no surprise to Wiles and his co-authors that the financial consequences of a data breach are negative. “As you would expect, we found overall negative stock price movement after the data breach announcement,” Wiles explained. “What’s interesting is that the negative return is more negative in cases where the service provider is responsible for the breach.”

In other words, when the service provider is at fault for the customer data breach, the company suffers more significant stock price declines than when the breach is the company’s own fault. In cases where the company itself was at fault for the data breach, Wiles said the average loss of shareholder value was $304.7 million. In cases where the service provider was at fault, the average loss was $353.5 million.

The costs normally associated with a customer data breach include relational costs and operational costs. Relational costs come from reductions in customer trust and satisfaction and “can have significant ramifications for firms, such as lower customer repurchase intentions, higher customer attrition and less success of customer acquisition efforts,” Wiles said.

Operational costs are those that the company has to incur to remediate the breach — including fixing the processes responsible for the service failure as well as allaying customer concerns across the full range of front office and back office processes and reassuring the firm’s overall quality promise to its customers.

Wiles and his co-authors found evidence that both relational costs and operational costs are magnified in situations where the service provider caused the breach.

The relational costs associated with a data breach announcement are magnified, Wiles said, because customers learn not only that their personal information was compromised, but also that their information was shared with the third-party service provider — many times without their knowledge. “So in addition to a reaction of, ‘Why didn’t you protect my information better?’ customers are also saying ‘I didn’t give you permission to share my personal information with anyone else,’” Wiles said.

Operational costs are magnified in cases where the service provider caused the customer data breach because managing recovery from that type of service failure is more complicated — and thus, more costly. “There are more people involved, communication is more complex and often the end result is increased governance costs to ensure that the service failure — in this case, the data breach — doesn’t happen again,” Wiles explained.

Finding #2: Those costs can be mitigated

The higher negative costs associated with data breach announcements when the breach was a service provider’s fault were not equal across the board, Wiles and his co-authors found. Some companies were able to mitigate the added negative impact. “Why is it that some firms are in a better position to mitigate the cost or better navigate the fallout of a service failure?” Wiles and his co-authors wondered.

The researchers found that firms with higher employee productivity are generally better able to handle data breaches — even more so when the failure was the fault of the service provider. “Employee productivity is always important,” Wiles explained. “Even more so for companies that have outsourced front-end services.”

The reason that employee productivity mitigates share price declines after a data breach, Wiles conjectured: “More productive employees provide higher-quality responses to service failures. Investors look at that firm’s more highly productive employees and assume lower costs to remediate the service failure.”

Implications

Wiles and his co-authors accomplished their mission to understand the risks associated with services outsourcing and uncover risk-mitigating traits among companies that outsource. Their findings have important implications for corporate executives, investors and policymakers.

For corporate executives, Wiles and his co-authors illuminated one type of risk associated with services outsourcing. “Corporate executives can incorporate that risk into their cost/benefit calculation when deciding whether hiring an outsourced service provider makes sense in a given situation,” Wiles said. An additional consideration factor: The risk associated with a data breach is mitigated for companies with more highly productive employees.

In situations where a company does outsource front-end services, the company could put in place more robust safeguards for customer data and governance structures to monitor service quality. Given the high cost associated with customer data breaches in those situations, many companies will find it well worth the expense to mitigate that risk. Companies could also do more to plan for service failures. “Given how prevalent data breaches have become, companies might do more to create remediation plans in advance.”

For investors, Wiles suggested that they be cognizant of the cost associated with data breaches, and recognize that for all the cost-saving benefits a firm might incur through outsourcing, the firm also incurs financial risk. “That risk associated with outsourcing decisions is one that investors may not have been aware of,” Wiles said.

The researchers’ findings have implications for policymakers, too. Firms incur negative financial consequences when a data breach is made public. So if they can keep breaches private, they have less incentive to spend money to reduce the risk of a breach. “Our results should give policymakers confidence that requiring firms to publicly report data breaches can incentivize those firms to put in place security protocols and processes to mitigate the risk of a breach,” Wiles explained.

The U.S. Securities and Exchange Commission does require a public company to report data breaches that the company deems to be material. “But what is material?” Wiles asked. “There is the sense that data breaches are vastly underreported. Because firms make their own assessments of what is material, they are often not compelled to disclose.”

Wiles’ research does not suggest that companies should stop outsourcing services. It does suggest that they should approach the outsourcing decision with a full awareness of the potential benefits and the potential costs. It suggests that certain companies — those with more productive employees — can weather data breaches better than others. For investors, it provides another data point on which to measure the risk associated with a particular investment. And for regulators, it provides another reason to require that firms disclose all customer data breaches.

Latest news