Lillian Ablon & Kathryn Kuznitsky
of just under 100 million records stolen from both the Office of Personnel Management and Anthem pales compared to the revelation that at least 500 millionYahoo accounts have been compromised—though one might argue that the impact is just as significant. Every time something like this happens, a familiar scene unfolds: There’s a mad scramble to learn how it took place, determine the impact on the companies and encourage consumers (not always successfully) to change passwords, reset accounts, or perform some other security action.
In response to large breaches, the targeted company often reaches out to the affected individuals to let them know. Although data theft like this has become part of the modern digital landscape, and studies have examined the costs and causes of these incidents, as well as thefinancial impact to the companies, little is known about how consumers react—how the tens of millions of account holders whose data and personal, financial, or health information is at risk respond to the breached company, to the notification that data theft has occurred and to the company’s subsequent actions.
To try to understand consumer reaction to a data breach, RAND researchers recently explored the practice of sending out data breach notifications. The research suggests, perhaps surprisingly, that consumers whose personal data has been compromised remain satisfied with and loyal to companies that have experienced a data breach. For instance, 77 percent of notified victims reported being content with how the company handled the breach and its follow-up notification. Only 11 percent cut their ties with the company.
What’s especially interesting about these findings is that more than a quarter of U.S. adults (more than 60 million Americans) had their personal data compromised between mid-2014 and mid-2015—and as a group they more or less collectively shrugged about it. Why do the majority stay true to a company? It’s still unclear. Some customers would probably prefer to leave, but they may be tied to the breached company for some reason, such as receiving employer-provided health insurance or needing services that are unique to a specific company.
Yahoo has been fairly quick to react to the breach. Email notifications to victims were sent within hours of the media disclosing the data leak last week. (We know because one of us was among those alerted.) Still, news outlets were the first to spread the word far and wide.
The RAND research involved administering a first-of-its kind survey and found that 44 percent of the time, victims first learned of a breach through some means other than from the company. Prompt notification of potential harm can help reduce consumer losses, but notifying individuals too soon may be impractical for the company. The business may simply not have enough information concerning the cause or scope of the data theft to alert consumers, and doing so may jeopardize ongoing law enforcement investigations.
Security experts recommend that individuals with Yahoo accounts act quickly to change passwords and security questions, employ password managers and, when possible, enable multi-factor authentication, to prevent the attackers from further exploiting the stolen data.
But will people actually take these additional steps to improve their data security? We found that only 51 percent of victims surveyed in our study changed their passwords or took some additional action. More people might respond if, as part of their post-breach protocol, affected companies instituted a feature that requires users to change their passwords the first time they try to access the site after a breach. Forced compliance, in the name of security.
Breached companies can take other steps to appease affected customers. Consumers report the highest rates of satisfaction when their breach notifications are timely, when they are kept up to date on remediation and improved security measures, and when they are offered identity and credit monitoring services. Essentially, people want to know that something is being done to remedy the situation, and they want to be kept abreast of what that something is.
Since absolute breach prevention is not possible, knowing what people want in the wake of these incidents is important. It behooves everyone—consumers and corporations alike—to accept this risk as a “when,” not an “if,” and to prepare for its inevitability.