The constant string of data breaches isn’t what I’d call funny, but it does make me think about one of my favorite cinematic comedies. The film “Groundhog Day” stars Bill Murray as a grumpy weatherman who travels to the little town of Punxsutawney, Pennsylvania, where a famous rodent supposedly predicts when spring will arrive.
According to some unexplained movie logic, Murray’s character ends up caught in a time warp so that he wakes up the day after Groundhog Day and it’s — you guessed it — Groundhog Day once again. No matter what he does, he wakes up day after day and the same events happen again and again. As you can imagine, the poor weatherman starts to lose his mind and, for a time, gives up trying to change his fate.
In the world of cybersecurity, things don’t appear to be much different. If it feels like there’s a new data breach reported every day, that’s because it’s more or less true. According to the Privacy Rights Clearinghouse, there have been 9,033 data breaches made public since 2005 — and those are just breaches that were reported in the U.S. or affected U.S. consumers. Spread out over the last 14 years, that averages out to about 1.77 breaches a day.
All told, there were at least 11.6 billion records lost in those breaches. The consequences for the economy and individual businesses and consumers are mounting, and the cost of these breaches is staggering if you consider the average cost per lost record, which was $148 in the U.S. last year.
These data points raise other questions about the human impact of data breach Groundhog Day, if you will. How does the daily barrage of data breaches affect our behavior? Are we responding with urgency to this growing problem as consumers, businesses and security professionals? Or have we given a collective shrug, accepting that this is the new normal?
What Does Data Breach Fatigue Look Like?
One apparent consequence of constant breaches is data breach fatigue — the idea that consumers have become inured to the effects of data breaches and are less motivated to do anything to protect themselves. The data breach fatigue effect is a little hard to calculate, but there is some evidence it exists, and the fallout is harmful to both consumers and the breached organizations.
In one study, researchers measured consumer sentiment on social media in the aftermath of a breach at the U.S. Office of Personnel Management that affected 21.5 million people. According to the study, overall sentiment about the breach was tinged with anxiety and anger, but victims of the breach showed higher levels of sadness. Moreover, social media chatter about the breach dropped off significantly over time. Two months after the breach, engagement was almost nonexistent, which the researchers said showed acceptance, apathy and the onset of breach fatigue.
While there isn’t a lot of data on how people respond to having their personal information breached, there is some evidence in consumer surveys that data breach fatigue is setting in. For example, a significant proportion of users don’t take proactive steps to improve their security after a breach, such as changing their passwords or checking their credit score. Although almost 50 percent of respondents to a 2016 Experian survey said they were taking more precautions to protect their personal information, just 33 percent check their credit scores regularly and only 36 percent review the privacy policies of the companies they do business with.
In another study conducted by RAND Corporation, only half (51 percent) of survey respondents said they changed their password or PIN after a breach, and a scant 4 percent said they started using a password manager. While 24 percent said they became “more diligent” in response to a breach, 22 percent took no action whatsoever.
Finally, a survey conducted by Ponemon Institute in 2014 on behalf of Experian found that many consumers were taking a passive approach to data breach notifications. Of the 32 percent of consumers who had received at least one data breach notification in the prior two years, their concern about breaches didn’t necessarily produce an urgent response. Although 45 percent of breach victims said they were “very concerned” or “extremely concerned” about the potential for identity theft, 32 percent said they ignored the breach notification or took no action, and 55 percent said they did nothing to protect themselves from identity theft.
If data breach fatigue contributes to consumers failing to take the necessary precautions to protect themselves, it could leave those consumers at greater risk of identity theft, damaged credit, financial loss and privacy violations. But before we start blaming the victims for being irresponsible, it’s clear from the Ponemon/Experian study that many breach victims feel powerless or even trapped because the products and services they depend on from breached companies can’t easily be replaced, and nothing they can do as individuals will change the likelihood that their data will be breached.
The Dangers of Data Breach Fatigue
There’s another risk from data breach fatigue that is maybe underappreciated: that organizations will assume their security and privacy practices won’t matter to consumers. We know from surveys that consumers are very concerned about cybersecurity, but constant breaches have caused a steady erosion of trust between businesses and customers.
In another consumer survey from 2018, conducted by The Harris Poll on behalf of IBM Security, only 20 percent of respondents said they “completely trust” organizations they interact with to maintain the privacy of their data, and 73 percent said it is extremely important that companies take swift action to stop a data breach.
People do care about the security and privacy of their information, and some will take their business elsewhere. In the 2014 Ponemon survey for Experian, 29 percent of respondents said they stopped doing business with a company after a breach.
There are some things organizations can do to start rebuilding trust. Consumers expect a certain baseline of activity in a company’s response that includes identity theft protection and credit monitoring, access to customer service to handle questions and, perhaps most importantly, a sincere apology.
According to Michael Bruemmer, a vice president of consumer protection at the Experian Data Breach Resolution Group, the following steps are crucial to effective communications after a breach:
- Provide timely notification explaining what happened and why.
- Explain the risks or impact to the customer as a result of the breach.
- Explain all the facts and don’t sugarcoat the message.
- Make the communications more personal with less technical and legal jargon.
- Describe easy-to-follow steps for customers to protect themselves from identity theft and fraud.
- Consider using other communication channels to reach customers, including social media and a secure website to answer frequently asked questions and a way for customers to enroll in identity theft protection services.
Practice Your Incident Response Plan
Caleb Barlow, vice president of threat intelligence at IBM Security, said having an incident response playbook is “just the beginning.” Organizations need to practice for a full-business response and hone the crisis leadership and communication skills of executives, board members and heads of key departments, such as PR and HR.
“In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next,” Barlow wrote in a blog post. “That’s when your training and muscle memory kicks in and you execute your plan. If you don’t practice it, you are exposed to an avoidable disadvantage.”
To stop the cycle of data breaches and data breach fatigue, organizations and consumers alike need to shake off our fatalism and reluctance to change. Cyberattacks and breaches may be inevitable, but we have control over the way we respond, and we can’t afford to accept the status quo.
We can’t keep doing the same things and expect different results. If data breach fatigue keeps organizations stuck in a pattern of passive and uncoordinated breach responses — and if consumers remain reluctant to take security into their own hands — then every day is going to feel like just another Groundhog Day.