3 Steps to Combat Breach FatigueHack of Supervalu Contributes to a Sense of Apathy
Warning: customers' personal details and card information may have been compromised by hackers.
See Also: Secure Access in a Hybrid IT World
So says supermarket chain Supervalu in an August 15 alert that it's investigating a network intrusion at more than 1,000 stores across the U.S. But similar data breach warnings have been sounded repeatedly in recent months. The Identity Theft Resource Center reports that during the past year alone, it counted 400 U.S. breaches - or 1.1 per day. In the past 12 months, breached organizations have included Target, eBay, P.F. Chang's, Neiman Marcus and the U.S. Department of Energy.
There's an increasing sense of "data breach fatigue" as these breaches take a psychological toll. Business executives, for example, may feel that no amount of preparation matters, thus leading boards of directors to skimp on necessary information security spending. Consumer reactions, meanwhile, can vary between apathy and extreme caution, with individuals potentially curbing their use of payment cards and taking their business elsewhere, or else ignoring personally identifiable or health information breach warnings altogether.
"The number-one driver of fatigue is the volume of notices that a consumer is getting," says Michael Bruemmer, vice president of data breach resolution at Experian Consumer Services. "Two years ago, less than 10 percent of the U.S. got a notice of a breach impacting their PII/PHI. Today, that number is closer to 40 percent of the U.S. population."
To better secure customer data and corporate reputations, businesses must combat the rise in data breach fatigue. Start with these three steps:
1. Beware Warning Signs
Businesses should watch for internal data breach fatigue warning signs, such as apathy or despondency over breaches, or feeling like no amount of preparation will help. "There are big risks with breach fatigue. Businesses may become less worried about the long-term brand harm of a breach and therefore less inclined to spend what they should on preventing them," says Neal O'Farrell, CEO of Privide, a personal security firm. On the other hand, he says, breach-related regulations, potential costs and criminal liability, as well as executive job security, all work to counter breach fatigue in businesses. "But I do hear a lot of security people talk more about damage control and crisis communications as an alternative to better security."
Breach fatigue may be accompanied by an acute sense of fatalism, says O'Farrell, who's also executive director of the Identity Theft Council. "When it was discovered that a 17 year-old was behind the Target breach, and a bunch of Russian buddy spammers behind the recent billion-password haul" - referring to the Operation CyberVor campaign - "it really hurt everyone's confidence that any amount of security will work."
On the consumer front, breaches may make customers angry, resulting in class-action lawsuits and customer defections, possibly to the benefit of non-breached businesses. "For consumers directly involved in a breach, going through the process of updating online accounts for their health club membership, Netflix accounts and other re-occurring charges is more than just a slight nuisance," says Alan Ferguson, executive vice president of sales and marketing at independent IT audit and compliance firm Coalfire.
But as with businesses, these multiplying breaches may drive consumers to extremes or unexpected behavior. "I think consumers will go one of two ways," O'Farrell says. "They will get frightened enough to change their behavior for the worse, like stop shopping online, which hurts business and the economy, or they will just accept data breaches as a cost of doing business, like living with bacteria or germs, and that's dangerous because it breeds apathy."
2. Demand Systemic Changes
Combatting breach fatigue is complicated by the fact that despite advanced defenses and good intentions, with enough time and energy, nearly any business can be hacked. "Good, legitimate companies that have put best practices in place can still be the victims of a breach," says Eva Casey Velasquez, president and CEO of the nonprofit Identity Theft Resource Center. "Especially when we're talking about hacking - they're victims too. So we do have to put at least some of the blame on these bad guys."
Today's bad guys, furthermore, are not only increasingly targeting payment card systems directly, but successfully hacking them. That's why many security experts are calling on the leaders of the U.S. payment card industry - Visa, MasterCard, American Express, Discover - to overhaul a payment card infrastructure that still lacks end-to-end encryption and stronger cardholder authentication.
That's one way to directly fight breach fatigue: make it harder for attackers to steal card data, no matter where it's collected or stored. "We have to look at ways to make stolen information of little value," says Privide's O'Farrell. But while there are numerous ways to make that happen, "slow adoption by enterprises and the financial sector continue to block interesting solutions."
O'Farrell calls on more consumer privacy and protection advocates to sound alarms - and the same could be said for businesses - to translate these big-picture possibilities into reality. "It really is a battle between rabble-rousing and apathy - you're really trying to shake them out of their complacency," he says.
3. Keep Notifications Timely, Accurate
Some executives have suggested related problems could be solved if businesses didn't have to issue so many notifications. Such a strategy, they argue, could reduce the number of class action lawsuits breached businesses face, and help hide security vulnerabilities from copycat attackers.
But Velasquez argues otherwise. "The solution isn't less information or more secrecy or more autonomy for corporations to decide what they're going to disclose or not disclose," she says. "The solution is more access to good, solid information and resources for consumers so they can really understand what this means. You're always going to be catching people where this is their first exposure, and [so] education and awareness is critical." Indeed, receiving such an alert may be a consumer's first brush with password reuse questions, whether it's safe to click on links in e-mails, the need to get a new credit card if they spot signs of fraud on their account - never mind how the identity theft ecosystem works.
"We say, in this day and age, is it possible that someone doesn't know this?" she says. "Then we hear from consumers all the time who don't understand what a credit reporting agency is. They're in this game, but they don't know that they're playing it."
Hence one requirement for combating consumer breach fatigue falls to breached businesses themselves: Issue timely, accurate notifications. "We always recommend clients wait until the forensics is complete so when the notification and call centers are implemented, the quality of the communication to the consumer is excellent," says Experian's Bruemmer. "Consumers do not like to be told only part of the story and have it come out over multiple communications, or to call in, only to have to call back later since the services are not live."
The ITRC's Velasquez likewise says that "if you're able to wait and get more information and still will be in compliance with data breach notification laws," then it pays to wait. If news of the breach has already leaked publicly, of course, questions of clarity and preventing breach fatigue may take a back seat to wanting to avoid any impression of a cover-up, she says. "You might not want to wait."
It also pays to be accurate. "How the organization responds ... can be the deciding factor when it comes to consumer loyalty," Velasquez says. "A well-worded notice that is detailed but easily understandable, and which gives accurate, trustworthy information ... can defuse the frenzy and confusion, and actually build trust with your customer base, and have them feel like you're taking care of me."
For notifications - and preventing breach fatigue or feelings of anger and helplessness - clarity is also king. "Notifications should be written from the perspective of the consumer," says Bruemmer, and make clear - and easy - the steps they can take to protect themselves, such as regularly reviewing bank statements or signing up for a credit or ID theft monitoring service. "It is important to apologize, tell them what happened to the consumer's personal information, and most importantly, clearly state the steps the consumer should take to protect themselves."