In-brief: According to data from Experian, fewer than one in ten consumers who have had personal information exposed in a major data breach take advantage of credit monitoring services offered by the company responsible for the breach – evidence of what the company says is data breach fatigue.
Another week, another parade of data breaches. In just the last few days, two major U.S. corporations have added their name to the list of those ravaged by faceless hackers: The Hard Rock Hotel and Casino acknowledged a security incident that may have affected customer credit card information stored by the firm. Add to that a report from the security website Krebsonsecurity.com, which suggested that the beauty supply chain Sally Beauty Holdings may have been the victim of yet another attack that resulted in the compromise of customer data – its second in six months.
But consumer protection and privacy advocates shouldn’t hold their breath waiting for data privacy’s “Network” moment, when Americans throw open the window to scream “I’m as mad as hell, and I’m not going to take it anymore!” To the contrary: data from one of the U.S.’s largest credit monitoring firms suggests that U.S. consumers are breached, bummed and burned out: little moved by new revelations of corporate data security lapses and disinclined to do anything about it.
Just one example: according to data from Experian, fewer than one in ten consumers who have had personal information exposed in a major data breach take advantage of credit monitoring services offered by the company responsible for the breach.
The statistic is just one piece of evidence supporting the idea of what one executive calls “breach fatigue” among businesses and consumers alike, after years of serial data thefts that have laid bare the personal information of a huge swath of the U.S. public.
“There’s definitely breach fatigue going on,” said Michael Bruemmer, the Vice President of Consumer Protection at Experian Consumer Services said of the phenomenon.
Experian, which provides credit-monitoring services directly to consumers and on behalf of businesses, has seen a large increase in the number of U.S. adults affected by data breaches. In 2013, just 25% of the adult population in the U.S. received a notice about a data breach that affected them. In 2014, the average U.S. adult received not one but three notices of a data breach that affected them, according to Experian data.
However, the response to those notices has been muted, to say the least, Bruemmer told Security Ledger. “Those users either disregarding (the notices) or not taking advantage of their recommendations to protect themselves going forward,” he said. That includes signing up for free credit- and identity theft monitoring services that are often offered by breached firms, as well as steps like changing passwords, shredding sensitive documents and ordering new credit cards to replace those stolen by data thieves.
Experian has long noted that the vast majority of consumers affected by breaches do not take advantage of free credit card- and identity theft monitoring services offered. Over all, the adoption rate for those services is less than 10 percent. Paradoxically, for very large and well-publicized breaches, like the one affecting Target Stores, the adoption rate is even lower: in “the low single digits,” Bruemmer told Security Ledger.
Darrel Ng, a spokesman for Anthem, the health insurance company that had information on some 80 million consumers stolen by data thieves, declined to provide specific numbers, but said that company’s data on customer adoption of credit monitoring services was in line with Experian’s numbers for large data breaches.
[Read Security Ledger coverage of the Anthem data breach.]
There are many possible explanations for consumers’ lack of interest in free credit monitoring services – a premium service that can Breummer said that consumers may, in some cases, be confused by the wording of notification letters such as this one, which assure consumers that “no action needs to be taken” to qualify for the credit monitoring services.
In fact, consumers must explicitly consent to firms like Experian monitoring their credit activity for signs of identity theft. But Bruemmer worries that the wording on the breach letters leaves the opposite impression. “People need to be instructed very clearly: ‘these are the steps take to protect yourself,’” Bruemmer said.
In other cases, those affected are not able to take steps to protect themselves. Minors and the deceased are often caught up in breaches such as those at Anthem and other health care firms – but that kind of identity theft can go undetected for years, he said.
There is evidence, as well, that consumers lack of attention to incidents of data theft is making companies less fearful of negative repercussions following such incidents, as well. An Experian-funded survey of 748 information technology professionals involved in risk management by the Ponemon Institute found that a strong majority of them – 66% – said that shareholder legal action and stock price declines following a data breach were not a concern for their organization. Just 23 percent of those surveyed cited a decline in stock price following a breach as a concern.
Bruemmer said the fraud notification and credit monitoring services are popular with executives: giving the breached firm a chance to interact with affected customers and explain what happened and how to protect themselves. Companies can typically pay for such services in bulk or on a case by case basis as customers adopt. Should companies adopt the latter payment plan, single digit adoption figures mean that companies pay only a fraction of the potential cost of making affected customers whole in any breach, greatly reducing one of the biggest financial costs of the breach.
Anthem contracted with the firm All Clear Id to provide credit monitoring for its customers. But it declined to say how the company was paying for those services. However, it has been forthcoming with data about the breach, including a web site set up to inform consumers and provide links to credit monitoring services paid for by the company. To date, Anthem has offered affected customers a wide range of options from identity theft repair services to credit monitoring to identity protection services for minors, Ng said.
Asked if he was a user of such services, Anthem’s spokesman acknowledged that he was: paid for courtesy of Home Depot, Ng said.
Retailers have been vocal in calling for the passage of a federal data breach disclosure legislation. However, action in Congress including the National Cybersecurity Protection Act (NCPA) has been held up over disagreements over the extent of immunity grants to companies that disclose breaches to the federal government. More recently, a bipartisan bill was introduced in the House of Representatives that promises new protections for sensitive financial information and uniform guidelines about consumer notification of breaches. H.R. 2205, the Data Security Act of 2015 is a bipartisan measure by Congressman Randy Neugebauer (R-TX) and Congressman John Carney (D-DE), but would still need to be matched up with similar legislation in the Senate and signed into law by President Obama – both big hurdles.
In the meantime, companies do the best they can to navigate a maze of scores of different data breach disclosure laws governing individual states and the District of Columbia.
Regardless of what happens on Capitol Hill, the three main parties involved in processing payments: card issuers, banks and credit card firms like Visa and Master Card need to work closely together to build a viable system for responding to breaches, Bruemmer said.
“They need to sit down and have a reasonable solution that says ‘here are the current laws and here’s where our responsibility begins and ends,’ he said. “Otherwise its consumers left holding the bag.”