It seems that every day brings news of a data breach. In 2014, companies such as Kmart, JP Morgan Chase, Home Depot, eBay, Michaels, P.F. Chang’s and Neiman Marcus have all announced breaches. The increasing frequency of data breach announcements is likely a response to better cyber-monitoring, public and governmental calls for additional transparency and laws mandating notification.

In 2014, the Ponemon Institute released a study entitled, “The Aftermath of a Mega Data Breach: Consumer Sentiment.” According to the study, out of the 797 individuals who were surveyed, 400 indicated they had experienced a data breach in the past two years. The study found that 32 percent of respondents did nothing after receiving a notification and only 18 percent took the actions suggested in the notification. It appears that despite widespread news of data breaches, consumers still do not believe that serious consequences can occur as a result of having their information compromised.

The study reveals that consumers are suffering from data breach fatigue, the condition whereby consumers ignore or minimize the consequences of having their information compromised. However, a deeper analysis of the Ponemon study reveals that data breach fatigue may be the product of poor notification and not based upon complete consumer apathy.

The lack of concern for data breaches detailed in the Ponemon study is troubling but not surprising. The study reveals that consumers are suffering from data breach fatigue, the condition whereby consumers ignore or minimize the consequences of having their information compromised. Data breach fatigue is a natural reaction to the wave of data breach notifications and the seemingly lack of concrete consequences. In fact, of the Ponemon study respondents who had their information breached, only six percent had their identities actually stolen.

However, a deeper analysis of the study reveals that data breach fatigue may be the product of poor notification and not based upon complete consumer apathy. When asked what personal data if lost or stolen would cause the most significant stress and financial loss, respondents answered Social Security number (78 percent), password/pin (71 percent), credit card or bank payment information (65 percent), social media accounts/handles (49 percent) and address (16 percent). It appears that consumers understand the significant difference between having an address breached and having a Social Security number stolen. As a result, if data breach notifications themselves clearly differentiated between the types of personal information that was breached, consumers may be more likely to read and respond to the suggestions listed in the breach notification.

As the survey also reveals, there appears to be a lack of consumer understanding with respect to the consequences of data breaches. Of the individuals in the Ponemon study who revealed that they had been notified of a data breach, the majority (67 percent) wished that the notifying company had better explained the risks or harms that consumers will face as a result of the breach. While consumers know that data breaches can be problematic, there remains a lack of information explaining the exact consequences of a particular breach.

One of the issues that may be contributing to data breach fatigue is the data notifications themselves and the laws that mandate them.

The first data breach notification law in the country was California’s in 2002. California’s law largely became the model that many other states adopted. While ahead of its time in 2002, the law is now inadequate to address the massive amounts of data breaches occurring. The California law requires companies to notify consumers of a breach when “personal information” is breached. “Personal information” is defined as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the date elements are not encrypted:

  • Social Security number (SSN),
  • Driver’s license number or California Identification Card number,
  • Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.

In 2014, California amended its data breach notification law to include user names or email addresses in combination with a password that would grant access to an online account. Since there is no federal data notification law, others states have adopted definitions of personal information that expand California’s definition to include information such as biometric data, taxpayer identification numbers and medical information.

Visual Cues for Consumers

To ensure that consumers are actually reading and understanding data breach notifications, notification statutes should be amended to make it easier for consumers to understand what personal data has been breached and what can be done to prevent any harmful consequences of the breach. For example, notifications could be color-coded to differentiate between an SSN breach and a breach involving access to online accounts. While an SSN breach could be printed on red paper, breaches involving passwords could be printed on blue. The color could provide an easy signal for consumers to recognize that not all breaches are the same and should not be treated in the same regard.

Immediate Red Flags and Steps for Remediation, Quickly

Notifications should also be more transparent on the consequences of the breach and what can be done by the consumer to limit any harm. If a consumer’s SSN is breached, the notification should clearly provide notice that the consumer’s identity can be stolen and that a criminal may seek to use the number to open bank and credit card accounts, to file false tax returns or to steal an identity to gain lawful employment for an undocumented immigrant.

Beyond a list of potential harms, the notification should provide steps to deal with the breach that are specifically tailored to the type of information compromised. In the case of an SSN, suggestions such as contacting the IRS, notifying the three major credit-reporting agencies and filing a report with the local police should be included within the notification. While many notifications provide a cursory list of suggestions, the suggestions are not always in line with the breach that occurred.

Timely notification of a data breach is essential to ensure that consumers can be protected from possible identity theft. However, in an age when data breaches seem to be announced on a daily basis, data breach fatigue is a significant concern. By providing additional transparency to consumers in regard to the breach’s threat level, consumers will hopefully be more inclined to take action on the breaches that require immediate attention.