In the past year, we saw a record number of data breaches – 781 in total that left 169,068,506 people exposed, according to a recent report by the Identity Theft Resource Center. This increased exposure to the risk and occurrence of breaches has created the well-known and often accepted concept of consumer “data breach fatigue” – a notion that I now believe to largely be a myth that can be damaging to companies when managing a security incident.
The thinking behind data breach fatigue is that the more consumers are confronted with security incidents – whether indirectly through news stories or directly through data breach notification letters – the less likely they are to proactively protect themselves or take action against the companies at fault for exposing their personal information. This notion suggests that consumers are apathetic toward breaches and therefore implies that companies do not have to worry as much about possible reputational damage or the loss of customers.
However, I believe this is a cynical view that can ultimately harm businesses if it influences their response process and causes them to take the issue less seriously. Contrary to the generally accepted assumptions about breach fatigue, I have found consumers do care about their security and show concern when their information is lost.
A recent Experian survey found that consumers in the United States who were notified of a data breach took steps to protect themselves in response. In fact, 72 percent of breached consumers updated anti-virus technology and nearly half reviewed online account activity or company security policies. Even more concerning for businesses, one in five consumers notified of a breach stopped doing business with the company that compromised their personal information. Further, even if it is true that some consumers are experiencing data breach fatigue, plaintiff attorneys are not and will closely scrutinize the response of any company, looking for signs that they are neglecting customers in their response.
To avoid the potential loss of reputation and mitigate the potential for litigation, companies must not fall victim to the “fatigue fallacy.” They must seriously consider the concerns of victims and take swift action to help them if an incident occurs. The good news is that there are steps companies can take to mitigate customer fall out after a major security incident.
How, where and what a company communicates following an incident can have a significant impact on the response for customers. While companies are often required by law to notify affected individuals of a data breach through a written and mailed letter, how that letter is worded and the other avenues used to communicate with consumers can make a big difference. Notification letters should be sincere and tailored to the customer based on the situation and type of information exposed. They should include an apology, details around what information was lost and the steps that customers can take to protect themselves.
Beyond the formal notification letter, companies should consider the other channels they can use to communicate with affected customers. For example, establishing a page on a company website dedicated to providing more details about an incident, as well as links to other protection resources, has proven to be a very effective engagement tool. Unlike a written letter, a site can be regularly updated as companies learn more information about the incident, and it is an easy place for consumers to gain information.
Another important step is setting up a call center dedicated to providing support around consumer questions regarding an incident. Customers often have questions following a major breach and having the ability to speak with someone knowledgeable about the incident can go a long way in calming any concerns.
Companies should also consider offering services that help consumers further safeguard the information that was exposed by the data breach. This could include free identify theft protection and credit monitoring services that will alert consumers if their information was used fraudulently, as well as help them remediate issues that occur. Companies can also offer access to fraud resolution agents that can help consumers deal with possible hassles should they become victims of identity theft after a breach.
The concerns and needs of consumers following a data breach should always remain a priority to companies. Those affected by a breach deserve to be notified and presented with protection options, whether interested in taking them or not. At its worst, the fatigue fallacy sways businesses to believe otherwise and do the minimum required by law versus what is required to maintain trust and credibility with customers. After all, it only takes a few vocal consumers to ignite a major reputational issue.