}

Breach Fatigue – What Is It?

An interesting report from Ponemon and RSA indicate that even after huge data breaches many consumers aren’t adjusting their behavior. Why?

It comes down to a new term, coined “breach fatigue.” In the wake of mammoth data breaches over the last year at some of the huge names in retail and banking like Target, Home Depot, and JPMorgan Chase, consumers are reaching a point where they are finding data security lapses less and less surprising.

The study, conducted by Ponemon Institute on behalf of RSA, reveals that consumers do very little to alter their shopping behavior following breaches at their favorite stores. Consumers do however pay attention to the way online retailers handle security measures, like authentication.

Out of 1,000 consumer involved in the Ponemon and RSA study where 50 percent of them had been victims of a security breach, these were the results:

  • 14 percent said they would alter their shopping/banking behavior if one of the places they do business with experienced a data breach.
  • The majority polled said they care about their privacy to some degree – but not enough to change their online behavior.
  • 23 percent said that privacy has absolutely no influence over their consumer perceptions or behaviors.
  • 49 percent reported they still shop online, but now use credit cards more than debit cards.

What is Peak Breach?

In a report from Software Advice, a subsidiary of Gartner, 4,000 consumers were interviewed and coined the term “peak breach” when they discovered that as the year continued, consumers tuned out breach news. These were their findings:

  • 23 percent of consumers were aware of the two top breaches in 2014.
  • Target’s nearly year-old breach registered higher awareness than the bigger, more recent Home Depot breach. (Some say that was due to the timing right before Christmas and the high news coverage it received.)
  • 77 percent of respondents were unaware of eBay’s mega breach.

While the news of data breaches may not impact consumers like they first did, consumers still care how companies protect their information and how they respond to breaches.

  • 62 percent say they don’t trust websites that only use passwords to authenticate users or when identity and authentication procedures seem too simple.
  • 77 percent say they expect prompt notification if a breach occurs.
  • 21 percent believe retailers will actually tell them if their information has been compromised.

Personal Information Defined

Personally Identifiable Information (PII) includes a person’s first name or initial and their last name in combination with any of the following: their Social Security number, driver’s license number, passport number; financial account numbers or credit card numbers with security codes or passwords; anything pertaining to the person’s medical history or physical condition; health insurance policy numbers; as well as user IDs and passwords for online accounts, email and related identifiers, such as security questions. And in many states it has become a law to protect this information.