Ponemon Institute have released an Experian® Data Breach Resolution sponsored survey into what consumer think about Data Breach Notifications, titled 2012 Consumer Study on Data Breach Notifications.
I have made a summary of the survey below.
Consumers in the Ponemon and Experian joint study believe data breach notification is important under certain conditions
- 85% believe notification about data breach and the loss or theft of their personal information is relevant to them
- 57% say that they want to be informed only if the organization is certain that they are at risk
- 58% say that if they remembered the notification it failed to explain all the facts and “sugar coated” the message
The trustworthiness of an organization is linked to the efforts it makes to protect personal information
- 83% of respondents believe organizations that fail to protect their personal information are untrustworthy
- 82% believe the privacy and security of their personal information is important
Following a data breach, consumers believe organizations have obligations to provide compensation and protect them from identity theft
- 63% say organizations should be obligated to compensate data breach victims with cash, their products or services
- 59% believe a data breach notification means there is a high probability they will become an identity theft victim. As a result, 58% say the organization has an obligation to provide identity protection services and 55% say they should provide credit-monitoring services.
Most consumers recall receiving a form letter and more than one notification
- 65% of consumers say they have received at least one notification
- 35% recall receiving at least three In 2005, 91% said they received only one
- 62% of consumers say the notification was a form letter 19% who say it was a personal letter.
Most consumers do not believe the organizations that sent them notifications did a good job in communicating and handling the data breach
- 72% of consumers were disappointed in the way the notification was handled
- 28% say the organization did a good job in communicating and handling the data breach
A key reason for the disappointment is respondents’ belief that the notification did not increase their understanding about the data breach. In fact, since 2005 respondents are more in the dark about what happened with their data.
- 41% of respondent say their data was most likely stolen
- 37% say they have no idea what the data breach incident was about
- This is an increase from 37% in 2005 who said their data was most likely stolen and 28% of consumers who said they had no idea what the data breach incident was about
- 51% say their customer or consumer information was stolen
- 21% who say it was their financial information such as credit card/debit card account numbers
- In 2005 86% said it was their customer or consumer information 10% said it was employee records
- 44% of consumers do not know the specific data that was lost or stolen which makes it more difficult for them to take steps to protect themselves from further harm. Those who do know say the following were most likely to have been lost or stolen: name, credit card or bank payment information and Social Security number.
Personal data respondents worry most about if lost or stolen
- 48% Email address
- 48% Health plan provider account number
- 48% Taxpayer ID number/Employer ID number
- 52% Telephone or mobile number
- 53% Driver’s license number
- 57% Credit or payment history
- 65% Credit card or bank payment information
- 65% Prescriptions
- 68% Social media accounts/handles
- 89% Social Security number
- 92% Password/PIN
Consumers say key facts about the breach are missing in most communications. 67% say the notification did not provide enough details about data breach.
The majority of consumers (51%) would like to have more information about how the organization will protect them to minimize the harm to them and their family. This is consistent with the 2005 study.
How the data breach may affect them and their family decreased significantly from 40% of respondents in 2005 to 24% this year. Identity protection or credit monitoring services and steps to take to protect their personal information were included for the first time in this year’s study and were significantly lower than the first choice about protections to minimize the possible negative consequences of a data breach.
Notification letters are increasingly perceived to be junk mail, according to many consumers
- 36% say they thought the data breach notification letter looked like junk mail This is an increase from 15% in 2005
- 34% say it was an important communication, this is a significant decrease from 51% in 2005
If they thought it looked like junk mail
- 63% of respondents recommend that the notification provide the names of individuals they can contact if they have questions or concerns
- 54% say the notification should be personalized
- 50% suggest making a phone call or email alerting them to the notification
Customer loyalty is at risk following notification. In response to being notified by an organization
- 15% say they will terminate their relationship
- 39% say they will consider ending the relationship
- 35% say their relationship and loyalty is dependent upon the organization not having another data breach
Only a small percentage of respondents in both studies do not blame the organization reporting the data breach. Further, respondents’ reactions to a breach have not changed significantly in the past seven years.
As in the previous finding, data breaches diminish customer loyalty and trust and this has not changed much since 2005. The study reveals that 62% say the notification decreased their trust and confidence in the organization Only 30% say it had no affect on their trust and confidence.
Since 2005, data breach notifications have not become easier to understand with 61% of consumers have problems understanding the notification An increase from 52% in 2005.
The biggest improvements that could be made would be to explain the risks or harms that they are most likely to experience as a result of the breach and to disclose all the facts.
The believability of data breach notifications has declined
- In 2005, 61% say the message was believable
- This has decreased to 55% in 2012
Scepticism about the content of the notification has increased since 2005. Of the 45% who say it was not believable, 51% say the message did not tell them about the harms or risks they will likely experience. This is an increase from 37% who believed this in 2005. In addition, perceptions that the organization is hiding key facts about the data breach have increased from 37% to 44%,
Respondents are just as worried today as they were in 2005 about the security of their personal information
- 63% are more worried about the security of their personal information
- 44% say they have had to spend time resolving problems as a result of the breach
- Despite concerns about identity theft and other harms, almost half (49%) are doing nothing to protect themselves
Consumers are, however, more cautious about sharing personal information with the organization that had the breach (45%) and 35% are more cautious about sharing information with all organizations.
Consumers in our study believe the privacy and security of their personal information is important. Organizations that do not provide adequate safeguards are considered untrustworthy. Further, typical responses to a data breach notification are to immediately discontinue the relationship with the organization that had the breach, to consider discontinuing the relationship or to continue the relationship only as long as another breach does not occur.
One of the goals of this research is to determine if consumers’ perceptions about data breach notification have changed since 2005 when we conducted the first study about this topic. Based on the findings, improvements need to be made to both how the notifications are delivered and the information that is communicated to victims of the data breach.
- Making the notification easier to understand by making it shorter with less legalese
- Eliminating the perception that the notification is junk mail by providing names that can be contacted if there are questions or concerns, personalizing the message and making a phone call or sending an email in advance of sending the notification
- Providing specifics about the incident that explain the cause of the breach and the type of data that was lost or stolen so the victim understands what the data breach is all about
- Assuring the victims that the organization will take steps to protect them from identity theft and other negative consequences
Most of the consumers who responded to the survey cannot recall if they received notification. We conclude that despite their concern about privacy and security, consumers are not paying attention to the notices. They also are not being proactive about preventing identity theft following notification. Instead, they believe it is the obligation of the organization to fully explain the potential harms they are likely to experience and to take steps to reduce the risk of identity theft.
In many instances, when organizations have a data breach the notification process is a matter of sending out a form letter. As shown in this study, communicating the circumstances of the data breach can influence customer loyalty, trustworthiness and reputation. Resources spent on personalizing the message, offering assistance to reduce the likelihood of identity theft and future harms and providing specific information about the incident may help organizations avoid the risk of losing customer trust and loyalty in the aftermath of the data breach.
Read the full report by registering here.
With Breach Notifications to be mandatory in the not so distant future it would be worth reading my review of the proposed European Data Protection Act here.