News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | If Not All Data Breaches Are Created Equal, Why Are All Data Breach Notifications Treated the Same? Related reading: ADMA CEO Opposes Breach Notification Plan

rss_feed

""

""

It seems that every day brings news of a data breach. In 2014, companies such as Kmart, JP Morgan Chase, Home Depot, eBay, Michaels, P.F. Chang’s and Neiman Marcus have all announced breaches. The increasing frequency of data breach announcements is likely a response to better cyber-monitoring, public and governmental calls for additional transparency and laws mandating notification.

In 2014, the Ponemon Institute released a study entitled, “The Aftermath of a Mega Data Breach: Consumer Sentiment.” According to the study, out of the 797 individuals who were surveyed, 400 indicated they had experienced a data breach in the past two years. The study found that 32 percent of respondents did nothing after receiving a notification and only 18 percent took the actions suggested in the notification. It appears that despite widespread news of data breaches, consumers still do not believe that serious consequences can occur as a result of having their information compromised.

The study reveals that consumers are suffering from data breach fatigue, the condition whereby consumers ignore or minimize the consequences of having their information compromised. However, a deeper analysis of the Ponemon study reveals that data breach fatigue may be the product of poor notification and not based upon complete consumer apathy.

The lack of concern for data breaches detailed in the Ponemon study is troubling but not surprising. The study reveals that consumers are suffering from data breach fatigue, the condition whereby consumers ignore or minimize the consequences of having their information compromised. Data breach fatigue is a natural reaction to the wave of data breach notifications and the seemingly lack of concrete consequences. In fact, of the Ponemon study respondents who had their information breached, only six percent had their identities actually stolen.

However, a deeper analysis of the study reveals that data breach fatigue may be the product of poor notification and not based upon complete consumer apathy. When asked what personal data if lost or stolen would cause the most significant stress and financial loss, respondents answered Social Security number (78 percent), password/pin (71 percent), credit card or bank payment information (65 percent), social media accounts/handles (49 percent) and address (16 percent). It appears that consumers understand the significant difference between having an address breached and having a Social Security number stolen. As a result, if data breach notifications themselves clearly differentiated between the types of personal information that was breached, consumers may be more likely to read and respond to the suggestions listed in the breach notification.

As the survey also reveals, there appears to be a lack of consumer understanding with respect to the consequences of data breaches. Of the individuals in the Ponemon study who revealed that they had been notified of a data breach, the majority (67 percent) wished that the notifying company had better explained the risks or harms that consumers will face as a result of the breach. While consumers know that data breaches can be problematic, there remains a lack of information explaining the exact consequences of a particular breach.

One of the issues that may be contributing to data breach fatigue is the data notifications themselves and the laws that mandate them.

The first data breach notification law in the country was California’s in 2002. California’s law largely became the model that many other states adopted. While ahead of its time in 2002, the law is now inadequate to address the massive amounts of data breaches occurring. The California law requires companies to notify consumers of a breach when “personal information” is breached. “Personal information” is defined as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the date elements are not encrypted:

  • Social Security number (SSN),
  • Driver’s license number or California Identification Card number,
  • Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.

In 2014, California amended its data breach notification law to include user names or email addresses in combination with a password that would grant access to an online account. Since there is no federal data notification law, others states have adopted definitions of personal information that expand California’s definition to include information such as biometric data, taxpayer identification numbers and medical information.

Visual Cues for Consumers

To ensure that consumers are actually reading and understanding data breach notifications, notification statutes should be amended to make it easier for consumers to understand what personal data has been breached and what can be done to prevent any harmful consequences of the breach. For example, notifications could be color-coded to differentiate between an SSN breach and a breach involving access to online accounts. While an SSN breach could be printed on red paper, breaches involving passwords could be printed on blue. The color could provide an easy signal for consumers to recognize that not all breaches are the same and should not be treated in the same regard.

Immediate Red Flags and Steps for Remediation, Quickly

Notifications should also be more transparent on the consequences of the breach and what can be done by the consumer to limit any harm. If a consumer’s SSN is breached, the notification should clearly provide notice that the consumer’s identity can be stolen and that a criminal may seek to use the number to open bank and credit card accounts, to file false tax returns or to steal an identity to gain lawful employment for an undocumented immigrant.

Beyond a list of potential harms, the notification should provide steps to deal with the breach that are specifically tailored to the type of information compromised. In the case of an SSN, suggestions such as contacting the IRS, notifying the three major credit-reporting agencies and filing a report with the local police should be included within the notification. While many notifications provide a cursory list of suggestions, the suggestions are not always in line with the breach that occurred.

Timely notification of a data breach is essential to ensure that consumers can be protected from possible identity theft. However, in an age when data breaches seem to be announced on a daily basis, data breach fatigue is a significant concern. By providing additional transparency to consumers in regard to the breach’s threat level, consumers will hopefully be more inclined to take action on the breaches that require immediate attention.

Author
Headshot Andrew Bolson IAPP Member Contributor
Tags
U.S.
Data Loss
Comments

If you want to comment on this post, you need to login.

Related Stories
ADMA CEO Opposes Breach Notification Plan
CMO reports on Association for Data-driven Marketing and Advertising CEO Jodie Sangster’s comments against the government’s plans to impose data breach notification requirements on Australian businesses. If passed, proposed breach notification will come into effect in March and will requ...
Read More queue Save This
Alberta Data Breach Notification Law Now In Effect
Alberta is now the first province to have a data breach notification requirement in effect, SC Magazine reports, and experts believe the change could have a significant impact on practices across the country. Under the amendment to the Personal Information Protection Act (PIPA), which went into effe...
Read More queue Save This
"Privacy Bill of Rights" Draft Released
Following up on his announcement that he would soon submit the "Commercial Privacy Bill of Rights Act of 2011" during a hearing on the call for federal privacy legislation, Sen. John Kerry (D-MA) and the bill's cosponsor, Sen. John McCain (R-AZ), have published a draft of the legislation. MediaPost ...
Read More queue Save This
200,000-Plus Customers Receive Breach Notice
Approximately 230,000 Anthem Blue Cross customers received notification this week that personal information--including Social Security and credit card numbers--may have been accessed, the OC Register reports. The breach involved customers with pending insurance applications that could be viewed thro...
Read More queue Save This
Related Stories
Tags
U.S.
Data Loss
Recent Comments