Dispelling the Dangerous Myth of Data Breach Fatigue

April 1, 2016

In the past year, we saw a record number of data breaches – 781 in total that left 169,068,506 people exposed, according to a recent report by the Identity Theft Resource Center. This increased exposure to the risk and occurrence of breaches has created the well-known and often accepted concept of consumer “data breach fatigue” – a notion that I now believe to largely be a myth that can be damaging to companies when managing a security incident.

The thinking behind data breach fatigue is that the more consumers are confronted with security incidents – whether indirectly through news stories or directly through data breach notification letters – the less likely they are to proactively protect themselves or take action against the companies at fault for exposing their personal information. This notion suggests that consumers are apathetic toward breaches and therefore implies that companies do not have to worry as much about possible reputational damage or the loss of customers.

However, I believe this is a cynical view that can ultimately harm businesses if it influences their response process and causes them to take the issue less seriously. Contrary to the generally accepted assumptions about breach fatigue, I have found consumers do care about their security and show concern when their information is lost.

A recent Experian survey found that consumers in the United States who were notified of a data breach took steps to protect themselves in response. In fact, 72 percent of breached consumers updated anti-virus technology and nearly half reviewed online account activity or company security policies. Even more concerning for businesses, one in five consumers notified of a breach stopped doing business with the company that compromised their personal information. Further, even if it is true that some consumers are experiencing data breach fatigue, plaintiff attorneys are not and will closely scrutinize the response of any company, looking for signs that they are neglecting customers in their response.

To avoid the potential loss of reputation and mitigate the potential for litigation, companies must not fall victim to the “fatigue fallacy.” They must seriously consider the concerns of victims and take swift action to help them if an incident occurs. The good news is that there are steps companies can take to mitigate customer fall out after a major security incident.

Communicate Authentically

How, where and what a company communicates following an incident can have a significant impact on the response for customers. While companies are often required by law to notify affected individuals of a data breach through a written and mailed letter, how that letter is worded and the other avenues used to communicate with consumers can make a big difference. Notification letters should be sincere and tailored to the customer based on the situation and type of information exposed. They should include an apology, details around what information was lost and the steps that customers can take to protect themselves.

Beyond the formal notification letter, companies should consider the other channels they can use to communicate with affected customers. For example, establishing a page on a company website dedicated to providing more details about an incident, as well as links to other protection resources, has proven to be a very effective engagement tool. Unlike a written letter, a site can be regularly updated as companies learn more information about the incident, and it is an easy place for consumers to gain information.

Another important step is setting up a call center dedicated to providing support around consumer questions regarding an incident. Customers often have questions following a major breach and having the ability to speak with someone knowledgeable about the incident can go a long way in calming any concerns.

Provide Protection

Companies should also consider offering services that help consumers further safeguard the information that was exposed by the data breach. This could include free identify theft protection and credit monitoring services that will alert consumers if their information was used fraudulently, as well as help them remediate issues that occur. Companies can also offer access to fraud resolution agents that can help consumers deal with possible hassles should they become victims of identity theft after a breach.

The concerns and needs of consumers following a data breach should always remain a priority to companies. Those affected by a breach deserve to be notified and presented with protection options, whether interested in taking them or not. At its worst, the fatigue fallacy sways businesses to believe otherwise and do the minimum required by law versus what is required to maintain trust and credibility with customers. After all, it only takes a few vocal consumers to ignite a major reputational issue.

More information on data breach preparedness and resources can be found at www.experian.com/databreach and the www.experian.com/blogs/data-breach

Michael Bruemmer, CHC, CIPP/US, is Vice President with the Experian® Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the Information Security Media Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 November

This month, Security magazine brings you the Security 500 Report, Rankings and Thought Leader Profiles. How does your enterprise compare to others? Which security programs are leading the way? Also this month, we highlight how to plan, prepare for and build resilience to protests and other unplanned events, video surveillance tools for SMBs and more.

View More Create Account

Dispelling the Dangerous Myth of Data Breach Fatigue

Communicate Authentically

Provide Protection

Recent Articles by Michael Bruemmer

Companies are Failing to Get Ahead of the GDPR

Combating Complacency: Getting the Most Out of Your Data Breach Response Plan

Top 5 Fails from Companies Preparing for and Responding to a Data Breach

3 Factors to Employee Data Loss Preparedness

Security Magazine

2020 November

Dispelling the Dangerous Myth of Data Breach Fatigue

Communicate Authentically

Provide Protection

Recent Articles by Michael Bruemmer

Related Articles

Report Abusive Comment