Hack of Supervalu Contributes to a Sense of Apathy
Warning: customers' personal details and card information may have been compromised by hackers.
So says supermarket chain Supervalu in an August 15 alert that it's investigating a network intrusion at more than 1,000 stores across the U.S. But similar data breach warnings have been sounded repeatedly in recent months. The Identity Theft Resource Center reports that during the past year alone, it counted 400 U.S. breaches - or 1.1 per day. In the past 12 months, breached organizations have included Target, eBay, P.F. Chang's, Neiman Marcus and the U.S. Department of Energy.
There's an increasing sense of "data breach fatigue" as these breaches take a psychological toll. Business executives, for example, may feel that no amount of preparation matters, thus leading boards of directors to skimp on necessary information security spending. Consumer reactions, meanwhile, can vary between apathy and extreme caution, with individuals potentially curbing their use of payment cards and taking their business elsewhere, or else ignoring personally identifiable or health information breach warnings altogether.
"The number-one driver of fatigue is the volume of notices that a consumer is getting," says Michael Bruemmer, vice president of data breach resolution at Experian Consumer Services. "Two years ago, less than 10 percent of the U.S. got a notice of a breach impacting their PII/PHI. Today, that number is closer to 40 percent of the U.S. population."
To better secure customer data and corporate reputations, businesses must combat the rise in data breach fatigue. Start with these three steps:
1. Beware Warning Signs
Businesses should watch for internal data breach fatigue warning signs, such as apathy or despondency over breaches, or feeling like no amount of preparation will help. "There are big risks with breach fatigue. Businesses may become less worried about the long-term brand harm of a breach and therefore less inclined to spend what they should on preventing them," says Neal O'Farrell, CEO of Privide, a personal security firm. On the other hand, he says, breach-related regulations, potential costs and criminal liability, as well as executive job security, all work to counter breach fatigue in businesses. "But I do hear a lot of security people talk more about damage control and crisis communications as an alternative to better security."
Breach fatigue may be accompanied by an acute sense of fatalism, says O'Farrell, who's also executive director of the Identity Theft Council. "When it was discovered that a 17 year-old was behind the Target breach, and a bunch of Russian buddy spammers behind the recent billion-password haul" - referring to the Operation CyberVor campaign - "it really hurt everyone's confidence that any amount of security will work."
On the consumer front, breaches may make customers angry, resulting in class-action lawsuits and customer defections, possibly to the benefit of non-breached businesses. "For consumers directly involved in a breach, going through the process of updating online accounts for their health club membership, Netflix accounts and other re-occurring charges is more than just a slight nuisance," says Alan Ferguson, executive vice president of sales and marketing at independent IT audit and compliance firm Coalfire.
But as with businesses, these multiplying breaches may drive consumers to extremes or unexpected behavior. "I think consumers will go one of two ways," O'Farrell says. "They will get frightened enough to change their behavior for the worse, like stop shopping online, which hurts business and the economy, or they will just accept data breaches as a cost of doing business, like living with bacteria or germs, and that's dangerous because it breeds apathy."