Security Experts:

Consumers Dissatisfied with Current Breach Notifications

A recent study by Experian Data Breach Resolution says that consumers are far from pleased with the typical response from a company during the aftermath of a data breach. Consumers expect a company to protect their data fully, but when that doesn’t happen, they would also like to have the issue explained fully, instead, they feel left in the dark.

Experian’s study was conducted by the Ponemon Institute, who conducted a similar one in 2005. Seven years ago, the number of respondents that said they were the recipient of a breach notification letter was about 12%. However, over the last few years, 47 states have implemented laws and regulations governing breach notifications, so when Ponemon performed the study this year, that number climbed to 25%.

Yet, the quality of notifications hasn’t gone up. It isn’t enough, consumers say, to inform them of a breach, they expect more information.

"While it's important for companies to do everything possible to safeguard consumer data, it's just as important to communicate effectively in the event of a breach," said Michael Bruemmer, vice president at Experian Data Breach Resolution.

"Effective and appropriate communication to customers who have been impacted by a breach includes describing the type of data that was lost or taken, an estimate of probability that the data will be abused and the business recourse that the company will offer."

According to the study, 41% of the respondents said that their personal data was likely stolen due to the notification letters they received, yet 37% had no idea what the breach was about. Looking at the respondents overall, the study shows that 67% felt the notification didn’t offer enough data, and 61% were just clueless by the legal spin often seen in notification letters, as they didn’t understand a thing.

"In the aftermath of a data breach, it is imperative to a company's reputation that it take the necessary steps to inform those affected by the incident in a timely and transparent fashion," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.

Yet, at least the respondents in the study got a letter. Personally, I recently learned that my Chase card was compromised during a breach at Penn Station East Coast Subs. Not because the company notified me, but because I spent more than an hour on the phone with the bank until I had some answers. I was simply informed that the card was canceled and would be replaced.

As it turns out, the sub shop had a notification letter available, but only on their website. So it’s clear that notification needs to improve, but that’s easier said than done considering that most breached firms want to protect reputation first.

“Notification is complicated by several factors, including the patchwork of state disclosure laws," added Ted Julian, CMO of Co3 Systems, a provider of data loss management software. "Different states have different requirements which are informed by the state's judgement on what their voters want. This allows the states to tune their requirements to resident's desires, but it substantially complicates the process for organizations that have suffered a breach.”

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.