About a fifth of Americans would ditch a business in the wake of a major data breach, new research has found.

In a survey of 2,000 adult consumers across the United States by PCI Pal, almost half (44 percent) of them have personally suffered the negative consequences of a security breach or hack. So perhaps it’s unsurprising that 83 percent of the respondents said they would stop spending with a business for several months in the immediate aftermath of an incident; while 21 percent said they would walk away permanently.

“While security breaches are not new, U.S. consumers’ attitudes towards them seem to be changing significantly – with the vast majority of Americans now reporting that trust in security practices (or lack thereof) influences not just where but also how, and how much they spend,” said James Barham, COO at PCI Pal, which consolidated its findings into the State of Security report.

Consumers also reported that even being perceived as having lax security practices can be enough to incur brand damage – almost half (45 percent) said that they spend less with brands they perceive to have insecure data practices, while a little over a quarter (26 percent) said they would stop spending completely if they don’t trust a company with their data.

This concern especially applies to the retail and travel verticals, as consumers reported trusting those companies the least with their personal data, at 19 percent and 16.4 percent, respectively.

“The finding isn’t necessarily surprising with even global brands, such as British Airways, being breached, and the numerous reports of credit card data being stolen from big name retailers such as Macy’s, Lord & Taylor and Under Armour,” according to the report.

Further, a full 61 percent said that they know they should check a company’s security process, and 28 percent already question businesses directly or research how they safeguard consumer data.

“What’s really interesting is how consumers are increasingly questioning data security practices,” Barham said. “This suggests a real change in how consumers prioritize privacy and security. Consumer-facing brands should pay attention – not just adopting stronger security practices but incorporating them into their marketing and communications strategies if they want to keep customers loyal and spending with them.”

The good news for businesses is that consumers can be encouraged to forgive a security lapse, if businesses take the right actions post-hack. About 41 percent of consumers want the business to admit responsibility and invest money in improving its security efforts, according to the report. But for some, that isn’t enough: 26 percent want a third party to confirm its ecosystem is safe before spending with them again, and 21 percent go even further to require the company to announce GDPR or other regulatory compliance to earn back trust. In total, 88 percent of consumers require businesses to make additional investments in their security after they are hacked.