There are letters that no one ever wants to get: any correspondence from the IRS or the notification for jury duty, for example. Add data breach notifications letter to that list. Not only do recipients not want to receive it, but senders aren’t thrilled about having to deliver it because that means they’ve been the victim of a data breach or some other cyber incident.
That letter to customers telling them their personal information may have been compromised is just one of many issues the sender has to deal with, and one it hopes will meet data privacy compliance regulations and help regain its customers’ trust.
However, according to research from the University of Michigan, businesses are failing miserably with those data breach notifications. Although a data breach increases the risk of identity theft for the consumer, the researchers found that most consumers take no action to protect themselves after they are notified. Wanting to know why, the researchers examined 161 data breach notifications and found them to be too long and too difficult for the average person to comprehend.
“Many companies downplay or obscure the likelihood of the receiver being affected by the breach and associated risks,” the researchers wrote. “Moreover, potential actions and offered compensations are frequently described in lengthy paragraphs instead of clearly listed.” Furthermore, the notifications rarely impress the need for urgency in taking steps to protect one’s identity or what actions to take.
In other words, these letters might fulfill legal needs on the business’s part, but they don’t help the consumer at all.
Why the Data Breach Notification Disconnect?
Even before GDPR and other data privacy laws ramped up the internal processes for data breach response, one of the most important parts of any cybersecurity program was (or should be) the response team—that group of people from security and IT to legal to marketing/PR, among other departments, who are supposed to be trained in how to handle the public-facing side to breach response. Shouldn’t the marketing team be adept in creating something approachable for the general public?
“With the sensitivity of the breach and data involved, companies are extremely careful to avoid disseminating unconfirmed information, so customers are not saddled with more confusion or worry,” explained Robert Capps, VP and authentication strategist at NuData Security. “However, this sometimes leads to confusing communications for customers who are not
able to decipher the message and determine what kind of action they should be taking.”
It’s easy to see why the messages are confusing. The University of Michigan researchers found that the notifications were often “obfuscated with hedge terms such as ‘potentially’ and ‘may,’ as well as a ‘no evidence’ statement (e.g., ‘we have found no evidence indicating that your breached personal data has been misused’).” When they do get around to providing actionable advice, it is buried in long paragraphs that don’t do a very good job at explaining anything important.
Are New Regulations Complicating Matters?
It could be that the new data privacy laws are adding a layer of complication to these notification letters. GDPR, for instance, requires affected consumers to be notified within 72 hours after the breach is discovered. Three days isn’t a whole lot of time to figure out what’s happened.
“It takes time to identify the full scope of a breach, and often it takes longer to identify all possible data that has been accessed than an organization has to make initial consumer disclosures under the various breach notification laws,” said Capps. “This can lead to piecemeal breach notifications and consumer confusion.”
Complicating things further, while these laws require the notifications be sent, they don’t tell you what the notifications should say. “Since the regulations that mandate data breach notifications don’t typically include any requirements regarding what content must be in a notification and how easy it must be to understand, most companies will fall back to using legal language that will better protect them from liability,” said Nathan Wenzler, senior director of Cybersecurity at Moss Adams.
“We’ve seen areas where the government has stepped in to force more clarity and simplicity into notices (think nutrition labels on packaged food),” Wenzler added, “but that idea hasn’t made its way into data privacy and breach notification laws as of yet.”
So the data breach notification ends up complicated for both the business and the consumer. The business doesn’t always have the full information necessary or any guidelines of what to tell the consumer. As a result, the consumer is left in the dark, wondering if the letter they received meant they are the victim of identity theft or if their information was never touched. The less the consumer knows about the situation at hand, the less they are going to do.
Unfortunately, there is no easy solution here until clear language about what notifications should include is written into the regulations. In the meantime, businesses should ensure an open line of communication with their customers. Customers should always assume that if they get such a letter, they should change passwords and run credit checks.
“We need to move toward a more clear and simplified standard for data breach notifications, where customers can understand exactly what happened and to what extent their information was compromised,” said Wenzler. “This will allow users to make better decisions about the next steps to protect themselves from whatever damages could occur from this kind of loss.”