breach fatigue: the apparent lack of significant responses and countermeasures by consumers regarding safeguarding their information in the wake of well-publicized reports of huge data breaches by major companies.
*** TROVELOG ***
The news has been dominated lately by the failure of one company, Facebook Inc., to safeguard customer data. But Facebook isn’t alone.
In just the past two weeks, several major retailers have reported consumer data-security incidents:
• Under Armour Inc. said 150 million accounts in its MyFitnessPal app were affected by a recent hack.
• Hudson’s Bay Co. reported a payment-card data breach at some Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor stores. Gemini Advisory, a security firm, said a hacking syndicate got 5 million stolen card numbers that appear to have been grabbed from those retailers.
• Fast-casual eatery Panera Bread exposed a trove of its customer records.
• Sears Holdings Corp. said some of its shoppers’ credit-card information was compromised in a security incident at a company that provides online services to the retailer.
But while the Facebook story has shaken the business and political worlds for days, these other data security lapses, affecting millions of U.S. consumers, have barely made a ripple.
. . .
With the exception of Target Corp., which saw its sales whacked after a 2013 breach, shoppers generally don’t appear to respond to these incidents by changing their shopping habits. Investors know it, so they don’t dump a stock when these things happen.
And I worry this dynamic is a harmful one, leaving consumers more vulnerable than they should be. What incentive do retailers have to beef up their security operations or invest in security-related innovation if there are no consequences when they mess up?
. . .
I suspect some of the consumer complacency about the retailer security incidents simply reflects what’s known as “breach fatigue.” After you’ve had to replace a compromised card or dispute fraudulent charges so many times, it just starts to feel ordinary.
But consumers should not accept these conditions as ordinary. Retailers and the payments industry will surely do better if they sense their customers will flee — or at least be indignant — if they do not.
Despite recent major data breaches or hacks from companies such as Equifax or Gmail, Iowa State University Associate Professor of Informations Systems Rui Chen said people still do not seem to be overly concerned with their online security, a trend he believes is growing and could place consumers at further risk of hackers.
The trend is known as “data breach fatigue,” and Chen and his colleagues at the University of Texas at San Antonio are working to better understand the behavior. According to Chen, data breach fatigue results in many consumers not changing their passwords or signing up for identity theft protection, despite the increased risk.
. . .
With so much personal information stored online, Chen said breaches have become the norm for consumers, and this breach fatigue has created constantly growing opportunities for cyber criminals.
“When an incident happens, when a data breach incident goes to the media, people read that news and they start to lose interest,” Chen said. “They take it as a new normal in today’s society.”
. . .
According to Chen, the breach fatigue also gives legislators less incentive to put laws in place to help combat data breach and hackers, as it becomes a less urgent matter. Chen said that cyber laws are already been one step behind, as technology is constantly advancing, making regulation difficult.
. . .
Chen said that he and his colleagues believe that data breach fatigue can be combated. He said the responsibility relies on the consumers, who should be constantly checking their bank and credit card statements for fraudulent charges, stop posting personal information on social media, stop responding to “phishing” emails, and take the opportunity to use or renew ID protection services.
As the parade of breaches and compromises wombles past the grandstand of newsworthiness, breach fatigue has become our greatest enemy.
With insurers increasingly finding ways to manage cyber-insecurity, the threat sometimes can seem diminished.
. . .
While the cost of breaches is going down–in no small part due to more economic and efficient responses to the everyday assault of data compromise–the number and prevalence of them does not seem to be diminished at all. We’re still seeing mega-breaches. And if anything, they’re getting worse.
Breach fatigue is the enemy. And here’s the thing about it–the fatigue increases the threat, because fatalism sets in. If there is nothing you can do, why do anything?
See related Trovelog posts: GDPR (General Data Protection Regulation) <>