[BreachExchange] Data breach fatigue requires better response planning

Audrey McNeil audrey at riskbasedsecurity.com
Wed Feb 14 20:20:48 EST 2018


With the number of data breaches reaching record levels and expected to
rise, companies and consumers alike are trying to navigate a new reality
where data theft is a common occurrence. While companies look to protect
themselves from both an actual attack and the potentially devastating cost
of remediation and notification, consumers are just trying to make sense of
a seemingly endless flood of notification letters.

Perhaps unsurprisingly, one of the ways that consumers are reacting is by
turning a blind eye to the whole issue. No one likes to have their data
compromised, but when you hear about it happening so often, it’s easy to
grow indifferent.

According to new research from a group of professors at Iowa State
University and the University of Texas San Antonio, this is referred to as
data breach fatigue, and it is on the rise among consumers.

Data breach fatigue is a phenomenon that occurs when data theft becomes so
normalized that individuals essentially grow numb to the threat of losing
their personal data. It can lead to an increased sense of inevitability,
often accompanied by apathy or indifference. They start to think, “If
someone already has all my information, why should I bother protecting it?
If it’s already out there, why do I care if another company loses it?”

So what impact does this trend have on companies trying to navigate the
increasingly complex process of planning for and responding to a data

At first glance, this trend may be seen as a positive. One of the toughest
parts of handling a breach is communicating about it with your customers.
If data breach fatigue means they are less inclined to react negatively, it
could potentially lessen the pain that comes with informing them that their
data was lost. It’s always easier to tell someone bad news, if they don’t
get upset easily.

Unfortunately, this does not actually equate to an easier notification
process. In reality, it has the opposite effect. Because consumers view a
data breach as a routine occurrence, it means the notification process has
become routine, as well. The same phenomenon that makes them more likely to
shrug their shoulders about the actual breach, makes it more likely that
they will notice if your response deviates from that routine.

This actually puts more pressure on you to execute a flawless incident
response, because while the breach itself may not attract much attention,
your response easily could.

So what can you do to ensure your incident response doesn’t stand out from
the crowd for all the wrong reasons?

The best way to stay under the radar is to make sure the focus stays on the
breach, not on your response. This starts with incorporating a good
communications plan into your incident response by establishing
communications channels and processes, during the planning phase, that
prioritize your customers’ need for information.

When an incident actually occurs, you simply tailor these pre-built
channels and processes to the specifics of your event and implement a
simple script to ensure the content you are pushing out is clear, contrite
and consistent. This 3-step script acknowledges that something happened,
apologizes for the impact on your customers, and finally, prevents your
story from changing over time.

It sounds overly simplistic, but this 3-step script is part of the routine.
When you execute it properly, customers can be surprisingly forgiving. When
you don’t, your response becomes the focus for all the wrong reasons.

Bottom line – everything is routine, until it isn’t.

The quickest way to snap someone out of data breach fatigue is to deviate
from the script and draw attention to your mistakes. As we’ve seen
countless times over the past year, once indifference is replaced with
anger, it’s hard to right the ship. A poorly handled response can snowball
rapidly, and what was supposed to be a clean exercise in standard customer
notification suddenly becomes a chain reaction of negative attention being
paid to your handling of the situation, rather than to the actual breach

When you experience a breach, the best you can hope for is that your
customers will shrug and move on. Data breach fatigue makes this more
likely, but only if you are prepared with a response that communicates
effectively and meets everyone’s expectations. Any detour from the script
won’t just get your customers’ attention, it risks drawing their fire.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180214/011ac643/attachment.html>

More information about the BreachExchange mailing list