Data Theft Victims, and Their Response to Breach Notifications

A summary of the results of RAND's first-of-its-kind survey aimed at learning about consumer response to security breaches is available on RAND dot org.

Data theft cuts across all demographics -- about 105 million Americans, or about 43% of all U.S. adults -- have been affected. More than half (56%) didn't know their data had been stolen before receiving a notification of the breach. Nearly two-thirds (62%) reported accepting an offer of free credit monitoring. While the median loss was around $500, an estimated 6 million adults reported perceived costs to them as $10,000 or more. Companies do a good job at responding, with more than three-quarters of adults reporting being very satisfied with post-breach responses. But 11%, or an estimated 11.5 million Americans, stopped dealing with the responsible company entirely as the result of a breach.

This infographic summarizes the results of a nationally representative survey of 2,038 adults regarding the last breach notification they received. Dollar losses and population numbers are estimates extrapolated from those survey data.

  • 105 million U.S. adults recalled ever being affected by a data breach
  • 44% already knew about the breach before they received the notification
  • 11.5 million people stopped doing business with the company
  • Perceived losses totaled more than $60 billion
  • 77% were highly satisfied with the company's post-breach response
  • 62% recalled accepting offers of free credit monitoring

Consumers reported that credit cards made up the largest percentage of information lost or stolen.

Types of data lost or stolen

  • Credit card information 49%
  • Health information 21%
  • Social Security Number 17%
  • User account information 13%
  • Other personal information 13%
  • Non-credit card financial information 10%

Participants were able to check all that applied, so percentages add up to more than 100%.

Victims suggest 3 ways companies can improve

  1. Implement new procedures so that it doesn't happen again.
  2. Offer free credit monitoring following a data breach.
  3. Notify the victim immediately.

Victims value these improvements more than monetary compensation.

Adapted from Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information, by Lillian Ablon, Paul Heaton, Diana Catherine Lavery, and Sasha Romanosky, RAND Corporation, RR-1187-ICJ, 2016.

Man with glasses: mediaphotos/iStock; icons: Askold Romanov/iStock; office building, Steppeua/iStock; credit card: L_amica/iStock.

IG-126 (2016)

This report is part of the RAND Corporation infographic series. RAND infographics are design-focused, visual representations of data and information based on a published, peer-reviewed product or a body of published work.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.