We’ve already noted on this blog that calculating the ‘true’ cost of a data breach is a tricky affair. After all, the U.S. has no federal law governing the loss of sensitive data (outside of sector specific legislation like HIPAA). And the 48 different state data breach laws are all over the map in imposing penalties on firms for lapses that expose personally identifiable information (PII).

There is, of course, the EU General Data Protection Rule, which will take effect in May, 2018. As we noted, that is a toothy piece of legislation that could tack three or four “zeros” onto the fines that wealthy firms - as “data controllers” - have to pay for mishandling customer and employee data.

But fines are just one measure of the “cost” of data breaches - albeit an important one. By focusing on them, we miss what might be softer but just as substantial costs to businesses that fail to take care of their data. Among those are customer attrition and reputation damage.

A new survey of 10,000 consumers from the firm Gemalto is attempting to gauge those costs and has surprising findings. Among them: a whopping 70% of consumers surveyed said they would stop doing business with a company if it experienced a data breach. Similarly, seven in ten consumers said they didn’t believe that businesses took the security of customer data seriously.

The fact that consumers don’t feel like businesses are doing a good job protecting their data matters, because consumers also consider it the job of businesses to protect that data. Sixty two percent of the people surveyed by Gemalto said businesses were “mostly responsible for its security.”

And consumers are apparently ready to back up that belief with action. A stunning 93% of those surveyed said they would consider taking legal action against a compromised business for losing their data, the Gemalto survey found.

There’s a big caveat to this survey and others like it - of course. Namely: do the opinions expressed by the survey takers line up with action in the real world? Do some approximation of the 7 in 10 respondents who say they’ll stop doing business with a breached firm actually do so? Do 9 in 10 - or even 5 in 10 - breach victims take action against the firm accused of losing track of their data by filing suit individually, or as part of an aggrieved class?

The answer is far from clear, in part because there are few reporting requirements around breaches and, thus, few reliable, public sources of data about breaches or their impact on firms’ bottom lines.

As we noted recently, private attempts to measure the cost of breach, like the annual Ponemon survey, are one of the most reliable measures we have, but the data there is mixed. In the U.S., for example, Ponemon found the average cost of breaches was much higher for companies in other parts of the world. Much of that fell to the cost of activities like notifying customers or hiring forensic investigators, victim notification and credit monitoring, and so on. Churn (or customer loss) for U.S. firms was about average compared to other countries and regions following an incident. But it was far more expensive for U.S. firms to lose customers and good will than for companies in other countries and regions, Ponemon found.

Focusing on the impact on customer retention and reputation is important, especially since it has become clear that breached companies have little to fear from either regulators or investors. As Harvard Business Review noted a couple years ago, there is no evidence that breaches have a long-term impact on a company’s stock price. Breached firms - from Target Stores and Home Depot to Anthem Healthcare have survived and, indeed, thrived, even in the wake of disastrous breaches.

The unfortunate fact is that it falls to consumers to be the protectors of their own data and to hold companies to account. Overwhelmed by the frequency and scale of breaches, it's unlikely that consumers really will abandon companies that mishandle their sensitive information. The convenience of using Target - or Uber- will likely outweigh any lingering anger at the firm's’ past indiscretions. And, with firms like Anthem Health Care, the decision to abandon the firm may not be in the consumer’s hands.

And, when it comes to protecting their own data, the news isn’t good, either. Gemalto’s survey found more than half of those surveyed (56%) share passwords across multiple online accounts while a sizable minority (41%) don’t take advantage of strong “two factor” authentication features when they are offered.

What’s needed are stronger and enforceable regulations to hold companies accountable, and then a campaign of active enforcement of those rules and regulations. While the soft costs of breaches are real enough, predictable hard costs - like fines - are the best way to change behavior and the attitude of corporate boards toward protecting customer and employee data.

Paul Roberts is the Editor in Chief of The Security Ledger and the Founder of The Security of Things Forum.