Why Companies Send Confusing Alerts About Data Breaches

Why Companies Send Confusing Alerts About Data Breaches

The notifications that companies send consumers about data breaches lack clarity and may add to customer confusion about whether their data is at risk, according to new research.

Building on their previous research that showed consumers often take little action when facing security breaches, researchers analyzed the data breach notifications companies sent to consumers to see if the communications might be responsible for some of the inaction.

They found that 97 percent of the 161 sampled notifications were difficult or fairly difficult to read based on readability metrics, and that the language used in them may have contributed to confusion about whether the recipient of the communication was at risk and should take action.

“For most companies, those notifications are only seen as a requirement for complying with data breach notification laws…”

“Our analysis shows that requiring companies by law to send data breach notifications alone is not sufficient,” says Yixin Zou, a doctoral student at the University of Michigan.

“It is important to ensure that important information such as what happened and what consumers should do to protect themselves is communicated in those notifications in a way that is understandable and actionable by consumers.”

Citing statistics from the Privacy Rights Clearinghouse, the authors note that in 2017 there were 853 data breached that compromised 2.05 billion records, which included consumer names, contact information account numbers, credit card details, social security numbers, shopping and purchasing records, social media posts and messages, and health records.

 Get The Latest From InnerSelf

In response, most countries, including the United States, adopted data breach notification laws. In the US, each state has its own data breach law, which means that the threshold for when companies must notify consumers, how soon after a breach they must send notifications, and what that notification must look like vary across states.

“There’s little incentive for companies to invest in making data breach notifications more usable.”

This allows much freedom for companies to use hedge terms that downplay risk—using phrases like “you might be affected” and “you are likely to be affected” in 70 percent of notifications and saying “at this time, we have no evidence of exposed data being misused” 40 percent of the time.

It also allows a lack of consistency in addressing the cause of the breach, the date of occurrence, and the amount of exposure time, the researchers say.

“There’s little incentive for companies to invest in making data breach notifications more usable,” says Florian Schaub, an assistant professor in the School of Information.

“For most companies, those notifications are only seen as a requirement for complying with data breach notification laws rather than a way to educate and protect their customers. We need to rethink and rework consumer protection laws such as these to ensure that companies’ notifications are actually helpful to consumers,” Schaub says.

Most state laws require companies to notify affected consumers in written letters or by telephone. Emails, website announcements, notices to statewide media, or other electronic methods are usually substitutes. The study shows a consistent pattern with 95 percent of the analyzed notifications delivered by mail. The researchers say the slow speed of a mailed letter might increase the time when consumers remained uninformed of the breach.

The researchers shared their work at the CHI Conference on Human Factors in Computing in Glasgow, Scotland.

Source: University of Michigan

Related Books

{amazonWS:searchindex=Books;keywords=personal data security;maxresults=3}


follow InnerSelf on


 Get The Latest By Email



The Day Of Reckoning Has Come For The GOP
by Robert Jennings, InnerSelf.com
The Republican party is no longer a pro-America political party. It is an illegitimate pseudo-political party full of radicals and reactionaries whose stated goal is to disrupt, destabilize, and…
Why Donald Trump Could Be History's Biggest Loser
by Robert Jennings, InnerSelf.com
Updated July 2, 20020 - This whole coronavirus pandemic is costing a fortune, maybe 2 or 3 or 4 fortunes, all of unknown size. Oh yeah, and, hundreds of thousands, maybe a million, of people will die…
Blue-Eyes vs Brown Eyes: How Racism is Taught
by Marie T. Russell, InnerSelf
In this 1992 Oprah Show episode, award-winning anti-racism activist and educator Jane Elliott taught the audience a tough lesson about racism by demonstrating just how easy it is to learn prejudice.
A Change Is Gonna Come...
by Marie T. Russell, InnerSelf
(May 30, 2020) As I watch the news on the events in Philadephia and other cities in the country, my heart aches for what is transpiring. I know that this is part of the greater change that is taking…
A Song Can Uplift the Heart and Soul
by Marie T. Russell, InnerSelf
I have several ways that I use to clear the darkness from my mind when I find it has crept in. One is gardening, or spending time in nature. The other is silence. Another way is reading. And one that…