Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information

by Lillian Ablon, Paul Heaton, Diana Lavery, Sasha Romanosky

Download

Download eBook for Free

FormatFile SizeNotes
PDF file 0.5 MB Best for desktop computers.

Use Adobe Acrobat Reader version 10 or higher for the best experience.

ePub file 3.2 MB Best for mobile devices.

On desktop computers and some mobile devices, you may need to download an eBook reader to view ePub files. Calibre is an example of a free and open source e-book library management application.

mobi file 8.7 MB Best for Kindle 1-3.

On desktop computers and some mobile devices, you may need to download an eBook reader to view mobi files. Amazon Kindle is the most popular reader for mobi files.

Purchase

Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback78 pages $16.50 $13.20 20% Web Discount

Research Questions

  1. How frequently do consumers receive breach notifications and what type of data are typically lost or stolen?
  2. What is the typical consumer response toward the notification, the company, and the company's follow-on actions after a breach?
  3. What are the perceived personal costs resulting from a breach?
  4. How satisfied are consumers with breach notifications?
  5. What actions, if any, do consumers take following a breach notification?
  6. What is the average rate of customer attrition following a breach notification?

Data breaches continue to plague private-sector companies, nonprofit organizations, and government agencies. Despite the mounting rate of these breaches, the continuing harms imposed on consumers and firms, and over a decade of breach notification laws, very little research exists that examines consumer response to these developments. This report sets out the results of a nationally representative survey of the consumer experience with data breaches: the frequency of notifications of data breaches and the type of data taken; consumer attitudes toward data breaches, breach notifications, and company follow-on responses; and perceived personal costs resulting from the breach, with the goal to establish a baseline of information about consumer attitudes toward data loss and company practices in responding to such events. Key findings include: (1) Twenty-six percent of respondents, or an estimated 64 million U.S. adults, recalled a breach notification in the past 12 months; (2) 44 percent of those notified were already aware of the breach; (3) 62 percent of respondents accepted offers of free credit monitoring; (4) only 11 percent of respondents stopped dealing with the affected company following a breach; (5) 32 percent of respondents reported no costs of the breach and any inconvenience it garnered, while, among those reporting some cost, the median cost was $500; and (6) 77 percent of respondents were highly satisfied with the company's post-breach response.

Key Findings

Twenty-six percent of respondents, or an estimated 64 million U.S. adults, recalled receiving a breach notification in the 12-month period before the survey.

  • Higher-income and better-educated respondents were more likely to remember experiencing a breach; younger adults (ages 18–34) and senior citizens (ages 65+) were less likely.
  • More than one-half of those people (51 percent), or an estimated 36 million individuals, received two or more notifications in the year preceding the survey.

Of those who received a notification in their lifetime, 44 percent were already aware of the breach from a source other than the affected company; typically media reports or notifications from a third party.

Sixty-two percent of respondents accepted offers of free credit monitoring.

  • According to respondents, three main factors influenced their decision: (1) time and effort required, (2) quality perception and trust (both of the affected company and of the breach notification service), and (3) whether the offer duplicated other services the victim had.

Only 11 percent of respondents stopped dealing with the affected company following a breach.

  • Thirty-two percent of respondents reported no costs of the breach and any inconvenience it garnered; among those reporting some cost, the median cost was $500. Median dollar values were higher if health information ($1,000), social security numbers ($1,000), or other financial information ($864) was compromised.
  • Just under 6 percent said that the inconvenience cost them $10,000 or more. For these, the breach typically involved credit card or health information.

Seventy-seven percent of respondents were highly satisfied with the company's post-breach response.

  • Most respondents (77 percent) were highly satisfied with the company's breach response. The greatest difference was with ethnic minorities, who were less likely to be satisfied with the company's breach response and more likely to both place a higher dollar value on the inconvenience caused by the breach and cease doing business with the company.

Respondents recommended several steps companies could take to better protect their data.

  • The steps that would highly satisfy most respondents were (1) take measures to ensure that a similar breach cannot occur in the future (68 percent), (2) offer free credit monitoring or similar services to ensure that lost data is not misused (64 percent), and (3) notify consumers immediately (63 percent). All three of these actions were valued more highly than receiving financial compensation for the inconvenience.

Table of Contents

  • Chapter One

    Introduction

  • Chapter Two

    Survey Results

  • Chapter Three

    Conclusions and Implications

  • Appendix A

    Survey Instrument

  • Appendix B

    Supporting Tables and Charts

The research described in this report was conducted by the RAND Institute for Civil Justice, a part of RAND Justice, Infrastructure, and Environment.

This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.