Consumers are showing signs of accepting that data breaches are part of doing normal business and living life online. It’s a trend that has been rising since possibly 2011, the first “year of the breach.”
The idea of “breach fatigue” is once consumers go through enough events where personal data is stolen, enough headline announcements of Target or Sony or Anthem or Home Depot or — you name it — the less consumers care about it happening.
OpenDNS Director of Security Tom Hash said in an interview for a previous article on the subject that consumers might not expect a breach to affect them, and may be surprised when it does, but that “most people don’t realize how sophisticated attack tools have become—tools that make it easy to exploit security vulnerabilities.”
A new study suggests that consumers might now understand that a breach could happen to them personally, but that they also might not care. A survey of 2,038 adults conducted by Rand Corporation found that as much as a quarter of Americans have been notified that their information was compromised in a breach. The same survey, however, found that only 11 percent of those who were notified stopped doing business with the company.
This is a good sign for companies who may get hacked in the future, as it could mean that a breach won’t cripple business. But it should also be a reinforcement for open and honest disclosure of breaches when they happen. Companies with a loyal customer base should find that those affected by a breach will be forgiving when one occurs — or at the very least they will apathetic to it. This assumes the company will be transparent as to the event’s details, what info was stolen, and proactively do all it can to minimize the damage. For now, that means mostly credit monitoring. The same Rand Corporation study found 62 percent of those who had been through a data theft incident had accepted free credit monitoring.
So is it breach fatigue? Or breach acceptance?
Either way, the survey also had suggestions from participants for how companies should respond to breaches, all of which they preferred over monetary compensation:
- Take measures to ensure that a similar breach cannot occur in the future
- Offer free credit monitoring or services to ensure that lost data is not misused
- Notify customers immediately
Though these suggestions are a good start, companies should see these as the bare minimum, as two of the three take basically no effort and cost nothing. In addition, companies should also leverage engineer leaders to gather the scope and technical details of what was breached, and what services are specifically to affected. If Company A provides an API that others use as a platform for their own services, or the breach involves a program that has been downloaded thousands of times, the technical community will want to know how to respond, and whether or not its own services are vulnerable as a result.
Another important consideration is correctly framing the severity of a vulnerability or breach. Companies will forever try to minimize damage to save face and retain customers. Bounty hunters, researchers, and security companies will often try to play up a finding to make a name for themselves. But as a community, we need to inject a little reality into how bad something truly is, to avoid unnecessary panic and to encourage appropriate response.
On the Wire Editor-in-Chief Dennis Fisher wrote that an appropriate framing of severity is important, as this overplaying of bugs and vulnerabilities might soon cause consumers and customers to turn a deaf ear. “People tend to get fatigued by this stuff rather quickly, and the attention span of the Internet is shrinking by the second,” Fisher wrote in a post on Digital Guardian. “So don’t be surprised if users start tuning these announcements out and ignoring the constant drumbeat of Next Big Bug.”