Stress, Apathy and Winning by Default: How Consumers Respond to Data Breach Notification Letters

Published: June 26, 2014 by ofonseca

Data breach notification letters serve multiple purposes. They ensure a breached company is compliant with data breach notification laws, they alert consumers to the breach and their involvement in it, they can warn customers of potential identity theft risks and educate them on how to cope with those risks. The one thing no company wants its notification letter to do, however, is make the recipients any more upset than they already are.

Yet that’s the reaction many consumers reported upon having received data breach notification letters, according to the study “The Aftermath of a Mega Data Breach: Consumer Sentiment.” Conducted by the Ponemon Institute on behalf of Experian Data Breach Resolution, the study provides some eye-opening insights into how consumers feel and what they do after receiving a breach notification letter.

To put consumer sentiment in perspective, consider these revelations from the study:

  • Among those polled, 63% said they felt the breached company should offer consumers identity theft protection by way of compensation, yet just 25% of people who had received a notification letter said were offered identity theft protection in that letter.
  • The financial impact of the data breach was less significant for consumers than the emotional aspects. 81% of data breach victims said they had not out-of-pocket costs because of the breach. Conversely, 76% said they experienced stress as a result of the breach.
  • Consumers ranked a data breach as the third-most damaging event for a company’s reputation. Only poor customer service and an environmental incident (e.g. an oil spill or pollution) were seen as more damaging.

Other than getting stressed, what, then, do consumers do after they’ve received a data breach notification letter?

Most do little or nothing at all, which should be just as concerning to companies as the customers who end their business relationship with a company in the wake of a data breach.

More than half (55%) said they did nothing to protect their identities after receiving a notification letter, and 32% ignored the notifications and did nothing at all. This may seem counter-intuitive considering that the majority (77%) were at least somewhat to very concerned about becoming an identity theft victim because of the breach. Perhaps if these customers had been offered free identity theft protection in the notification letter, they would have accepted the offer.

These survey results underscore the need for companies to send strong, informative and compassionate data breach notification letters – and to offer consumers identity theft protection as part of the company’s data breach response.