TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | The misconceptions of data breach fatigue Related reading: Proposed breach notification law receives criticism

rss_feed

""

PrivacyTraining_ad300x250.Promo1-01

As many privacy and security executives are well aware, data breaches are being reported at an increasingly alarming rate and making headlines in the U.S. every day. This increase in reported incidents has led to significantly more attention and awareness by senior leaders at companies who are asking their teams how prepared they are to manage these issues. 

But has this increase in attention had the opposite effect on consumers who have their information exposed? Proponents of data breach fatigue – the idea that the more consumers are confronted with security incidents, the less likely they are to proactively protect themselves or take action against the companies at fault for exposing their personal information – would say yes.

But falling for the fatigue fallacy can cause companies in crisis to make decisions in their response that could ultimately further harm their brand and reputation. People care when their information is exposed and they will take action.

A recent Experian survey found that a majority of consumers in the U.S. who were notified of a data breach took steps to protect themselves in response. In fact, 72 percent of consumers who were impacted by a breach updated their anti-virus technology and nearly half reviewed online account activity or company security policies. 

Further, this data shows that it is dangerous to generalize when it comes to consumer attitudes toward breaches. While a certain subset of consumers may have experienced data breach fatigue, another set decided to take the extreme action of taking their business elsewhere. One in five consumers notified of a breach stopped doing business with the company that compromised their personal information.

To avoid the potential loss of reputation, customer trust and business that can occur in the aftermath of a breach, companies must consider the needs and concerns that many of its customers may have and ignore the publicized theory of data breach fatigue.

The good news is that there are steps companies can take to mitigate customer fall out after a major security incident.

Notification letters should be timely, sincere and tailored to the customer based on the situation and the type of information exposed. Letters should include an apology and a clear explanation of what happened, why it happened, and easy-to-follow steps for consumers to protect themselves from fraud. This includes checking credit reports and monitoring financial or health records to identify any suspicious activity.

Prioritize authentic communication

To avoid possible reputational damage and the loss of customers following a breach, companies must prioritize the concerns of their customers and have plans in place that ensure thoughtful communication and expected protection services.

Getting the response right in the heat of a data breach is easier said than done. The mega breaches that have played out publically in recent months show that companies must ensure they react and respond to an incident by planning ahead and having a response plan in place with security and communication professionals working closely together. Notification letters should be timely, sincere and tailored to the customer based on the situation and the type of information exposed. Letters should include an apology and a clear explanation of what happened, why it happened, and easy-to-follow steps for consumers to protect themselves from fraud. This includes checking credit reports and monitoring financial or health records to identify any suspicious activity.

Beyond the formal notification letter, companies should consider the other channels they can use to communicate with affected customers. For example, establishing a page on a company website dedicated to providing more details about an incident, as well as links to other protection resources, has proven to be a very effective engagement tool. Unlike a written letter, a site can be regularly updated as companies learn more information about the incident and it is an easy place for consumers to gain information.

Other methods of communication to consider for customers include an FAQ section on your company website and a call center. Call center providers can help answer your customers’ more detailed questions and concerns about a data breach, as well as provide assistance to customers enrolling in identity theft protection services. Providing this open line of communication can go a long way in retaining customer trust.

Provide guidance and remedies

Companies should also consider offering services that help consumers further safeguard the information that was exposed by the data breach. Though laws and industry regulations vary on if and when an organization needs to notify victims following a breach, affected consumers also have the expectation that organizations will offer credit monitoring and identity theft protection services.

In fact, 63 percent of consumers believe organizations should be obligated to provide identity theft protection in the event of a data breach. Providing fraud monitoring and identity protection services are important steps for organizations both in terms of compliance and maintaining consumer trust. Additionally, companies can also offer access to fraud resolution agents that can help consumers deal with possible hassles should they become victims of identity theft after a breach.

Companies must continue to prioritize the concerns and needs of consumers following a data breach. Those affected by a breach deserve to be notified and presented with protection options, whether interested in taking them or not. At its worst, the data breach fatigue myth leads businesses to believe otherwise and do the minimum required by law, versus what is required to maintain trust and credibility with customers.

 

photo credit: Research Data Management via photopin (license)

4 Comments

If you want to comment on this post, you need to login.

  • comment Joanne McNabb • Mar 9, 2016
    Yes! Great piece. I've challenging the "breach fatigue" argument for years. It's one thing for the news media to get fatigued by the volume of data breaches (which does not, in fact, seem to be happening), and quite another thing when you get your very own breach notice.
  • comment Michael Bruemmer • Mar 9, 2016
    Thanks, Joanne.  Data suggests that victims of a breaches are 4X more likely to suffer ID theft than those that are not.  Once you are a victim, things are never the same. Be particularly careful now during tax time by filing early before someone gets a fraudulent refund using your identity.
  • comment Kathy Stershic • Mar 9, 2016
    Michael, thanks for this helpful and insightful perspective. As a marketer-turned-privacy pro I am very concerned about the brand reputation impact of breaches and negligent or cavalier behavior. You may be interested in a brief e-book I wrote offering principles for trustworthy data stewardship and impact on brand. IAPP has published in the Resources section: https://iapp.org/resources/article/brand-reputation-in-the-era-of-big-data. Would love to discuss this live with you some time. Will you be at the Summit?
  • comment Sheila Dean • Mar 9, 2016
    Great stuff! Something I was really impressed with following a healthcare insurer breach was the way they took a suggestion about changing internal numbers for the insured.   The organizational ID number given to consumers can be changed to prevent further access to data.  Of course, that's not as convenient if it's your bank account and you have revolving expenses, but that's part of the follow up after a breach.  Consumers are expected to do their part, but it's so much easier when they know what to do.  I was pointed to IdentityTheft.org to get step-by-step methods to wade through the shock of those first few days after an identity breach.  This was a good post!