Data breach fatigue requires better response planning

With the number of data breaches reaching record levels and expected to rise, companies and consumers alike are trying to navigate a new reality where data theft is a common occurrence. While companies look to protect themselves from both an actual attack and the potentially devastating cost of remediation and notification, consumers are just trying to make sense of a seemingly endless flood of notification letters.

Perhaps unsurprisingly, one of the ways that consumers are reacting is by turning a blind eye to the whole issue. No one likes to have their data compromised, but when you hear about it happening so often, it’s easy to grow indifferent. 

According to new research from a group of professors at Iowa State University and the University of Texas San Antonio, this is referred to as data breach fatigue, and it is on the rise among consumers.

Data breach fatigue is a phenomenon that occurs when data theft becomes so normalized that individuals essentially grow numb to the threat of losing their personal data. It can lead to an increased sense of inevitability, often accompanied by apathy or indifference. They start to think, “If someone already has all my information, why should I bother protecting it? If it’s already out there, why do I care if another company loses it?”

So what impact does this trend have on companies trying to navigate the increasingly complex process of planning for and responding to a data breach?

At first glance, this trend may be seen as a positive. One of the toughest parts of handling a breach is communicating about it with your customers. If data breach fatigue means they are less inclined to react negatively, it could potentially lessen the pain that comes with informing them that their data was lost. It’s always easier to tell someone bad news, if they don’t get upset easily.

Unfortunately, this does not actually equate to an easier notification process. In reality, it has the opposite effect. Because consumers view a data breach as a routine occurrence, it means the notification process has become routine, as well. The same phenomenon that makes them more likely to shrug their shoulders about the actual breach, makes it more likely that they will notice if your response deviates from that routine.

This actually puts more pressure on you to execute a flawless incident response, because while the breach itself may not attract much attention, your response easily could.

So what can you do to ensure your incident response doesn’t stand out from the crowd for all the wrong reasons?

The best way to stay under the radar is to make sure the focus stays on the breach, not on your response. This starts with incorporating a good communications plan into your incident response by establishing communications channels and processes, during the planning phase, that prioritize your customers’ need for information.

When an incident actually occurs, you simply tailor these pre-built channels and processes to the specifics of your event and implement a simple script to ensure the content you are pushing out is clear, contrite and consistent. This 3-step script acknowledges that something happened, apologizes for the impact on your customers, and finally, prevents your story from changing over time.

It sounds overly simplistic, but this 3-step script is part of the routine. When you execute it properly, customers can be surprisingly forgiving. When you don’t, your response becomes the focus for all the wrong reasons.  

Bottom line – everything is routine, until it isn’t.

The quickest way to snap someone out of data breach fatigue is to deviate from the script and draw attention to your mistakes. As we’ve seen countless times over the past year, once indifference is replaced with anger, it’s hard to right the ship. A poorly handled response can snowball rapidly, and what was supposed to be a clean exercise in standard customer notification suddenly becomes a chain reaction of negative attention being paid to your handling of the situation, rather than to the actual breach itself.

When you experience a breach, the best you can hope for is that your customers will shrug and move on. Data breach fatigue makes this more likely, but only if you are prepared with a response that communicates effectively and meets everyone’s expectations. Any detour from the script won’t just get your customers’ attention, it risks drawing their fire.