Companies impacted by data breaches may follow the letter of the law when they notify customers. But those letters are creating distrust, customer loss and even lawsuits.
The New York-based global law firm of White & Case LLP just released results of a national survey on data security breach notification that shows citizens aren't happy with how and when they're being notified that their private data was lost or stolen -- a problem that at least 23 million Americans have dealt with within the last year. This year's avalanche of publicized data thefts have led at least 18 states to pass notification laws similar to California's SB 1386. A national version is now working its way through Congress.
The goal in all of these laws is to ensure consumers know when they're at risk of fraud and identity theft. But such a measure does not come without consequences. Rather than be grateful for the notice, consumers are angry that the messages are densely written or void of details, and they're terminating relationships and even seeking damages in court.
"It seems that what determines an organization's ability to protect its reputation and maintain the trust of its customers and employees in the aftermath of a breach is the quality of the notification," according to the report prepared by the Arizona-based Ponemon Institute LLC, which conducted the online survey of 9,154 individuals. Of that number, 1,109 -- or 11.6% -- said they'd been notified about the loss or theft of their personal information.
The vast majority of those notified victims were customers or consumers, rather than employees or students. Financial institutions, government agencies and state universities and health care providers were most likely to report a breach. The most common forms of notice were form letter, phone call or personalized letter. But such communications were frequently rejected by respondents who mistook form letters for junk mail, e-mail for spam and phone calls for telemarketing.
And once they were notified, it usually got worse. Almost half said the notices were difficult to understand and didn't contain enough details, particularly what was being done to protect them now. That may be because the most common remedies offered by companies were merely to open a new account and monitor the old one for suspicious behavior. "More than 28% of respondents said they had no idea about the facts of the incident even after receiving notification of the breach," the report said. Only 22% understood encryption's purpose and the role it played in why they were notified (because it wasn't in use at the time of the loss or theft). Lawmakers typically allow notification exemptions if the missing or pilfered data was scrambled.
But for those forced to come clean with their clients or, as in the case of data brokers, whose victims didn't even know their information was on file, repercussions can be serious. Twenty percent in the survey said they ended their relationship with the company and another 40% were considering it. Also, 5% hired lawyers.
"Five percent may not seem like much, until you realize that anywhere between 23 million and 50 million Americans have received notification of a data security breach. That means that over 1 million people out there are likely seeking legal counsel," David Bender, who co-heads White & Case's privacy practice, said in a statement. "This should be particularly troubling to companies, especially in light of several putative class-action lawsuits recently filed in California against companies that experienced security breaches."
Only 8% didn't blame the organization that reported the breach for their loss of trust.
The Ponemon Institute research indicated companies that failed to communicate a breach in a "clear, consistent and timely fashion" were four times as likely to experience customer churn. Those that used e-mails or form letters were three times as likely to lose customers than those that called and/or sent personalized letters. The White & Case attorney recommended companies send a personalized letter and follow up with a phone call. Companies also should consider providing free credit report monitoring for a period of time.
"One thing that comes through clearly in the survey is that those companies taking pains to handle the breach correctly lost the fewest customers," Bender said. "In the event a breach occurs, the survey suggests that the company should send each victim a notification that is timely; is written in clear language free of technical or legal jargon; is detailed enough to describe what has happened; and that offers a victim assistance hotline."