Download Free Electronic Document

FormatFile SizeNotes
PDF file 1.2 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Data Theft Victims, and Their Response to Breach Notifications

A summary of the results of RAND's first-of-its-kind survey aimed at learning about consumer response to security breaches is available on RAND dot org.

Data theft cuts across all demographics -- about 105 million Americans, or about 43% of all U.S. adults -- have been affected. More than half (56%) didn't know their data had been stolen before receiving a notification of the breach. Nearly two-thirds (62%) reported accepting an offer of free credit monitoring. While the median loss was around $500, an estimated 6 million adults reported perceived costs to them as $10,000 or more. Companies do a good job at responding, with more than three-quarters of adults reporting being very satisfied with post-breach responses. But 11%, or an estimated 11.5 million Americans, stopped dealing with the responsible company entirely as the result of a breach.

This infographic summarizes the results of a nationally representative survey of 2,038 adults regarding the last breach notification they received. Dollar losses and population numbers are estimates extrapolated from those survey data.

  • 105 million U.S. adults recalled ever being affected by a data breach
  • 44% already knew about the breach before they received the notification
  • 11.5 million people stopped doing business with the company
  • Perceived losses totaled more than $60 billion
  • 77% were highly satisfied with the company's post-breach response
  • 62% recalled accepting offers of free credit monitoring

Consumers reported that credit cards made up the largest percentage of information lost or stolen.

Types of data lost or stolen

  • Credit card information 49%
  • Health information 21%
  • Social Security Number 17%
  • User account information 13%
  • Other personal information 13%
  • Non-credit card financial information 10%

Participants were able to check all that applied, so percentages add up to more than 100%.

Victims suggest 3 ways companies can improve

  1. Implement new procedures so that it doesn't happen again.
  2. Offer free credit monitoring following a data breach.
  3. Notify the victim immediately.

Victims value these improvements more than monetary compensation.

Adapted from Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information, by Lillian Ablon, Paul Heaton, Diana Catherine Lavery, and Sasha Romanosky, RAND Corporation, RR-1187-ICJ, 2016.

Man with glasses: mediaphotos/iStock; icons: Askold Romanov/iStock; office building, Steppeua/iStock; credit card: L_amica/iStock.

IG-126 (2016)

This report is part of the RAND infographic series. RAND infographics are design-focused, visual representations of data and information based on a published, peer-reviewed product or a body of published work.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.