TL;DR: Consumers punish breach exposure but still practice risky habits such as password reuse and public Wi-Fi, turning security into a trust and loyalty issue rather than a back-office concern, according to Commvault research from a survey of more than 1,000 New Yorkers. The lesson for identity teams is that resilience now has to cover people, systems, and recovery assumptions at once.
NHIMG editorial — based on content published by Commvault: consumer trust, resilience, and data security expectations in New York
By the numbers:
- A recent Commvault-commissioned survey of more than 1,000 New Yorkers found strong concern about data security.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
Questions worth separating out
Q: How should security teams reduce customer impact after an identity-related breach?
A: They should plan for identity containment as part of recovery, not as a separate technical task.
Q: Why do consumer security habits matter if the organisation controls the environment?
A: Because organisations cannot assume users will always behave safely, and trust breaks when controls depend on that assumption.
Q: What breaks when resilience is treated only as a technical issue?
A: The trust model breaks.
Practitioner guidance
- Tie customer trust metrics to identity recovery speed Measure how quickly high-risk accounts, tokens, and privileged sessions can be revoked after suspected compromise, then compare that to customer-facing incident communication timing.
- Reduce reliance on user discipline Use MFA, conditional access, and safer account recovery workflows so password reuse and risky network behaviour do not become the deciding factor in breach exposure.
- Map identity blast radius for customer-facing systems Identify which human and non-human identities can directly affect customer data, transactions, or service availability, then limit each to the smallest viable scope.
What's in the full article
Commvault's full article covers the survey context and consumer trust signals this post intentionally leaves at a higher level:
- The survey framing behind responses from more than 1,000 New Yorkers and how the findings were presented.
- The specific consumer behaviours the article highlights, including password reuse and public Wi-Fi use.
- The article's own narrative on how businesses should balance prevention, response, and transparency.
- The broader brand-trust argument the vendor builds from the survey results.
👉 Read Commvault's survey analysis on trust, resilience, and data security →
Consumer trust and resilience: what security teams need to hear?
Explore further
Trust is now an identity outcome, not just a brand outcome. When customers leave after a breach, the organisation is being judged on its access discipline, recovery speed, and transparency. That turns IAM and PAM from internal controls into external trust enablers. Practitioners should treat identity resilience as a customer-retention control.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: Who is accountable for protecting trust when identity controls fail?
A: Accountability sits with the organisation, not with customers who may reuse passwords or make risky connectivity choices. Security, IAM, PAM, and communications teams all share responsibility for reducing breach impact and explaining what happened. In practice, trust failures are governance failures, not just technical ones.
👉 Read our full editorial: Consumer trust now depends on resilience, not just breach response