Our analysis of major data breaches at US publicly traded companies offers rare insight into how consumers apportion responsibility for preventing data breaches. Key findings from the survey include: • Ninety-four percent of consumers surveyed are concerned about retail data breaches. • Consumers are nearly as likely to hold retailers responsible for data breaches (61 percent) as the criminals themselves (79 percent). Only 34 percent blame the banks that issue debit and credit cards. • Seventy-five percent believe that retailers are not doing enough to prevent infiltrations into their customer data and payment systems. • Seventy percent of respondents believe that retailers should be held financially responsible for consumer losses that result from a breach; not banks or card issuers. • Finally – and most troubling – 34 percent of those surveyed report that they no longer shop at a specific retailer due to a past data breach issue.

1. Main Street vs.Wall Street
Who is to Blame for Data Breaches?
Spring 2014
Abu Dhabi
Beijing
Berlin
Brussels
Dallas
Dubai
Frankfurt
Hong Kong
Johannesburg
London
Milan
Munich
New York
Paris
Rome
San Francisco
São Paulo
Shanghai
Singapore
Stockholm
Vienna
Washington, D.C.

2. © BRUNSWICK | 2014 | 1
GrowingTrend
Scale and impact of data security issues continue to rise
Recent research has
determined the average cost
of a data breach to be $5.5
million per organization
and an average of $194 per
compromised record.
Studies also found for the
fourth straight year that
organizations’ need to respond
rapidly to data breaches drove
the associated costs higher.
Source: Open Security Foundation / DataLossDB.org; Ponemon Institute “Cost of a Breach Study”, 2011
21 44
157
644
774
1048
720
818
1072
1331
0
200
400
600
800
1000
1200
1400
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Data Loss DB.org Incidents OverTime

3. © BRUNSWICK | 2014 | 2
High Risk, High Profile
Privacy and data security issues are gaining attention worldwide

4. © BRUNSWICK | 2014 | 3
Heated Debate
Retailers and Banks are going head-to-head over who is responsible
“For years, banks have continued
to issue fraud-prone magnetic
stripe cards to U.S. customers,
putting sensitive financial information
at risk while simultaneously touting
the security benefits of next
generation 'PIN and Chip' card
technology for customers in Europe
and dozens of other markets.”
“The NRF should focus its attention on
responding to the harm that security
breaches at several retailers have done
to consumers and their financial
institutions rather than hurling false
allegations blaming the banking
industry for these retail breaches.
Retailers and their processors —
not banks — are responsible for
the systems in their stores that process
payment cards.”

5. © BRUNSWICK | 2014 | 4
25% 75%
Retailers are doing enough to prevent data breaches,
but the rise in usage of debit cards, credit cards and online payment
systems, as well as increased capabilities of online thieves, means
that data breaches are just the “new normal”
Retailers are not doing enough to prevent data breaches
and need to take significant actions to improve the
security of their payment systems
Are retailers doing enough to prevent data breaches?
What news events have consumers seen,read,or heard about?
How concerned are consumers?
90%
83%
83%
78%
60%
A data breach at some U.S.
retailers that resulted in the theft
of the credit card information of
more than 100 million consumers
Pop star Justin Bieber being
arrested for DUI, drag racing,
and resisting arrest
Security concerns for the
upcoming Sochi Winter Olympics
President Obama giving the
2014 State of the Union address
President Obama announcing
changes to the NSA
surveillance program
94%
concerned about
data breaches at
retailers
Difficult Opinion Environment
Consumers are aware,concerned,and believe retailers are not doing enough to stop data breaches

6. © BRUNSWICK | 2014 | 5Source: Harris Interactive – 2013 RQ Summary Report
High Marks for Industry Reputation…
Retail industry is regarded as one of the most respected,banking is among the least respected
Tobacco
Government
Banking
Financial Services
Airline
Insurance
Pharmaceutical
Energy
Manufacturing
Automotive
Telecommunications
Consumer Products
Retail
Travel & Tourism
Technology
Industry Reputation Ratings
NEGATIVE NEUTRAL POSITIVE

7. © BRUNSWICK | 2014 | 6
…But, Public Casts More Blame on Retailers
Nearly as likely to hold retailers responsible as the criminals themselves;One-third will boycott
72% 28%
Retailers Banks
Who is responsible? How have consumers responded?
65%
34%
24%
23%
12%
Started using cash
more often
Stopped shopping at
certain retailers
Started shopping more
at online retailers
Stopped using my
debit or credit card
Switched banks or
credit card companies
79%
61%
34% 26% 18% 17%
The
Criminals
Retailers Banks Government Shoppers Law
Enforcement

8. © BRUNSWICK | 2014 | 7
Making debit
and credit cards
more secure
63% 37%
Banks say that retailers are at fault for lacking
the necessary security measures to prevent
cyber-attacks from taking place, and therefore should
be responsible for reissuing cards compromised in a
security breach when the retailer is at fault.
Retailers say that banks are at fault for issuing
cards with faulty technology that leaves
customers prone to security lapses, and therefore
should take steps to ensure credit card security so
the cards are less likely to be corrupted.
70% 30%
Some say that in a situation where a systemic data breach is caused by a retailer’s payment system,
the retailer should be financially responsible for these fraudulent charges,
NOT the credit card issuer. Would this be fair or unfair?
UnfairFair
Clear Need for Effective Messaging
Consumers side with the banks over shifting more financial liability to retailers
56% 44%Strengthening
retail networks
against hackers
The best defense against future data breaches is…

9. © BRUNSWICK | 2014 | 8
1 2 3 4 5 6
Lasting Impact
Brunswick analysis of post-breach valuation discovered a long-term downward trend
Analysis of the average daily valuation data of 10 companies that have recently experienced large
data breaches uncovered that stock prices never fully rebound two quarters after the breach.
Anatomy of a Breach’s Impact onValuation
Day before breach
Bargain buyback
Initial sell-off Long-term downward trend
Months after breach announcement
Levelofpre-breachvaluation
Average daily closing price
100%
95%
90%
85%
80%