[BreachExchange] How to write an effective data breach notification?

[Destry Winant]

https://www.helpnetsecurity.com/2019/05/23/effective-data-breach-notification/

Data breach notifications sent by companies to affected customers are
often unclear and not very helpful, University of Michigan researchers
have found.

The problem(s)

The researchers have analyzed 161 data breach notifications sent by
companies to US consumers between January and June 2018, and
discovered that:

- Most were lengthy and would be difficult to understand for the
general public (they require advanced reading skills).
- Many companies downplay or obscure the likelihood of the receiver
being affected by the breach and associated risks. They do so by using
hedge terms such as “potentially” and “may” and by using statements
such as “we have found no evidence indicating that your breached
personal data has been misused”.
- Recommended actions are usually detailed, but usually buried in long
paragraphs with little to no guidance regarding their effectiveness or
urgency, making it difficult for the reader to navigate and prioritize
listed actions.

Recommendations

Breached companies might have the obligation to send out a breach
notification to affected users and might have to meet certain content
requirements, but too many companies opt for language and structure
that doesn’t spur consumers to make use of available protective
measures.

The researchers advise writers and designers of data breach notifications to:

- Devote more attention to visual attractiveness (headings, lists and
text formatting) and visually highlight key information.
- Make the notice readable and understandable to everyone by using
short sentences, common words (and very little jargon), and by not
including unnecessary information.
- Avoid hedge terms and “no evidence” claims (claims of no evidence of
misuse could be misinterpreted by consumers as evidence of absence of
risk).

A final and very important recommendation is to provide actionable
choices and nudge users towards them.

“Actions of high priority (e.g. due to high effectiveness, urgency, or
easiness to initiate) should be listed before other options. For
instance, credit freeze should be mentioned in the main text, and
above other options such as fraud alert and credit lock, to indicate
its effectiveness in preventing access to credit reports and thereby
proactively reducing identity theft risks,” the researchers say.

In addition to this, notifications should explicitly recommend
specific actions and directly explain the reasons why each of them is
recommended.

Here’s a proposed example of actionable, prioritized, well explained guidance:

We recommend that you first place a credit freeze on your credit
report, as it prevents credit, loans and services from being approved
in your name without your consent. Next, you can also consider placing
a fraud alert on your credit report. While less restrictive, a fraud
alert tells creditors to be cautious before they open any new accounts
or change your existing accounts.

The researchers also advise law makers and regulators to provide clear
guidance on how to produce an effective data breach notification. That
includes specifying what it means to write one in “plain language” and
encouraging companies to deliver the notification via multiple
channels.