Data breach notification fatigue: Do consumers (eventually) tune out?

Data breach notifications are flying en masse following the Epsilon Interactive breach, but are they doing customers any good?

Earlier this month more than 50 companies were involved in a massive heist of names and email addresses from Epsilon Interactive. With millions of customers of companies such as Best Buy, Brookestone, Dell, Marriott and many others affected, the question is being raised: are so many breach notifications from so many companies numbing their impact?

As for the breach that started it all for Epilson, it's becoming an all-too common story: employees were spear-phished with emails that linked to a malicious web site, or contained an attachment designed to infect end points with malware. Once a foothold was established, the attackers moved in on what they were after. Such attack techniques have been behind, among many other incidents, the now infamous Operation Aurora and recent RSA Security breach.

The Epsilon breach is relatively tame by breach standards. As far as we know, no Social Security numbers, financial account numbers or even physical street addresses were stolen: only name, email address, and the knowledge of where that customer had a business relationship. What worries experts now is that customers will become targeted themselves by spear-phishing attacks.

Gartner analyst Avivah Litan, told CSOOnline that the banks -- Barclays Bank of Delaware, CapitalOne, Citibank, JPMorgan Chase TD Ameritrade, and others are "freaking out" over the breach.

Now, with a breach that in all likelihood involved millions of notifications, will people pay attention or will they receive so many breach notifications that they tune out?

"The Epsilon breach resulted in many consumers receiving multiple notifications, almost exclusively by email, that systems storing emails may have been compromised and that they shouldn't trust emails. There is a lot of irony in that," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation. "Then there is the idea of notification fatigue. People get these notices and they wonder what they can do about it. The frank answer is there is nothing they can do about it."

But Rafal Los, security evangelist at HP Software, says the notices have built considerable awareness around the dangers of phishing attacks.

"People not only see these notifications, but it's made the headlines of national newspapers and has been all over the TV. It's helping to tune people in to the fact that they may be targeted in their email boxes," he says. "And following this email breach those concerns are real."

Gartner analyst John Pescatore classifies breach notifications into two camps: those where nothing happens to those notified, and the notifications where bad stuff does happen. "There is definite notification fatigue happening on the former. For example, there has never actually been a publicly acknowledged customer account compromise due to a lost backup tape, but there were scads of notifications," he says. "But, I think more importantly, there are two reasons for requiring breach notifications: First, to give the information into how well or how badly companies are protecting their information. Second, to give the owners of the companies an incentive to want to minimize how often they have to issue press releases saying dear customers, we lost your sensitive information. "Both of those are really good things, worth some notification fatigue."

Still, others think that all of the breach notifications regarding names and email addresses are not doing anyone any good. "I certainly think it's a mistake," says Rasch. "It's not that I think corporations should conceal these incidents. When it's a name and email address the statutes don't require a notification. But that's not why I think that they shouldn't do it. They shouldn't do it because it's not helpful."

George V. Hulme writes about security and technology from his home in Minneapolis. He hasn't opened any email since the Epsilon breach went public. But you can still find him on Twitter at @georgevhulme.

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.