The notifications that companies send consumers about data breaches lack clarity and may add to customer confusion about whether their data is at risk, according to new research.
Building on their previous research that showed consumers often take little action when facing security breaches, researchers analyzed the data breach notifications companies sent to consumers to see if the communications might be responsible for some of the inaction.
They found that 97 percent of the 161 sampled notifications were difficult or fairly difficult to read based on readability metrics, and that the language used in them may have contributed to confusion about whether the recipient of the communication was at risk and should take action.
“For most companies, those notifications are only seen as a requirement for complying with data breach notification laws…”
“Our analysis shows that requiring companies by law to send data breach notifications alone is not sufficient,” says Yixin Zou, a doctoral student at the University of Michigan.
“It is important to ensure that important information such as what happened and what consumers should do to protect themselves is communicated in those notifications in a way that is understandable and actionable by consumers.”
Citing statistics from the Privacy Rights Clearinghouse, the authors note that in 2017 there were 853 data breached that compromised 2.05 billion records, which included consumer names, contact information account numbers, credit card details, social security numbers, shopping and purchasing records, social media posts and messages, and health records.
In response, most countries, including the United States, adopted data breach notification laws. In the US, each state has its own data breach law, which means that the threshold for when companies must notify consumers, how soon after a breach they must send notifications, and what that notification must look like vary across states.
“There’s little incentive for companies to invest in making data breach notifications more usable.”
This allows much freedom for companies to use hedge terms that downplay risk—using phrases like “you might be affected” and “you are likely to be affected” in 70 percent of notifications and saying “at this time, we have no evidence of exposed data being misused” 40 percent of the time.
It also allows a lack of consistency in addressing the cause of the breach, the date of occurrence, and the amount of exposure time, the researchers say.
“There’s little incentive for companies to invest in making data breach notifications more usable,” says Florian Schaub, an assistant professor in the School of Information.
“For most companies, those notifications are only seen as a requirement for complying with data breach notification laws rather than a way to educate and protect their customers. We need to rethink and rework consumer protection laws such as these to ensure that companies’ notifications are actually helpful to consumers,” Schaub says.
Most state laws require companies to notify affected consumers in written letters or by telephone. Emails, website announcements, notices to statewide media, or other electronic methods are usually substitutes. The study shows a consistent pattern with 95 percent of the analyzed notifications delivered by mail. The researchers say the slow speed of a mailed letter might increase the time when consumers remained uninformed of the breach.
The researchers shared their work at the CHI Conference on Human Factors in Computing in Glasgow, Scotland.
Source: University of Michigan