• United States




Data breach fatigue requires better response planning

Feb 13, 20184 mins
CybercrimeData BreachDLP Software

Customers may view data breaches as common, but companies have to nail the response, or risk a consumer backlash.

7 response
Credit: Thinkstock

With the number of data breaches reaching record levels and expected to rise, companies and consumers alike are trying to navigate a new reality where data theft is a common occurrence. While companies look to protect themselves from both an actual attack and the potentially devastating cost of remediation and notification, consumers are just trying to make sense of a seemingly endless flood of notification letters.

Perhaps unsurprisingly, one of the ways that consumers are reacting is by turning a blind eye to the whole issue. No one likes to have their data compromised, but when you hear about it happening so often, it’s easy to grow indifferent. 

According to new research from a group of professors at Iowa State University and the University of Texas San Antonio, this is referred to as data breach fatigue, and it is on the rise among consumers.

Data breach fatigue is a phenomenon that occurs when data theft becomes so normalized that individuals essentially grow numb to the threat of losing their personal data. It can lead to an increased sense of inevitability, often accompanied by apathy or indifference. They start to think, “If someone already has all my information, why should I bother protecting it? If it’s already out there, why do I care if another company loses it?”

So what impact does this trend have on companies trying to navigate the increasingly complex process of planning for and responding to a data breach?

At first glance, this trend may be seen as a positive. One of the toughest parts of handling a breach is communicating about it with your customers. If data breach fatigue means they are less inclined to react negatively, it could potentially lessen the pain that comes with informing them that their data was lost. It’s always easier to tell someone bad news, if they don’t get upset easily.

Unfortunately, this does not actually equate to an easier notification process. In reality, it has the opposite effect. Because consumers view a data breach as a routine occurrence, it means the notification process has become routine, as well. The same phenomenon that makes them more likely to shrug their shoulders about the actual breach, makes it more likely that they will notice if your response deviates from that routine.

This actually puts more pressure on you to execute a flawless incident response, because while the breach itself may not attract much attention, your response easily could.

So what can you do to ensure your incident response doesn’t stand out from the crowd for all the wrong reasons?

The best way to stay under the radar is to make sure the focus stays on the breach, not on your response. This starts with incorporating a good communications plan into your incident response by establishing communications channels and processes, during the planning phase, that prioritize your customers’ need for information.

When an incident actually occurs, you simply tailor these pre-built channels and processes to the specifics of your event and implement a simple script to ensure the content you are pushing out is clear, contrite and consistent. This 3-step script acknowledges that something happened, apologizes for the impact on your customers, and finally, prevents your story from changing over time.

It sounds overly simplistic, but this 3-step script is part of the routine. When you execute it properly, customers can be surprisingly forgiving. When you don’t, your response becomes the focus for all the wrong reasons.  

Bottom line – everything is routine, until it isn’t.

The quickest way to snap someone out of data breach fatigue is to deviate from the script and draw attention to your mistakes. As we’ve seen countless times over the past year, once indifference is replaced with anger, it’s hard to right the ship. A poorly handled response can snowball rapidly, and what was supposed to be a clean exercise in standard customer notification suddenly becomes a chain reaction of negative attention being paid to your handling of the situation, rather than to the actual breach itself.

When you experience a breach, the best you can hope for is that your customers will shrug and move on. Data breach fatigue makes this more likely, but only if you are prepared with a response that communicates effectively and meets everyone’s expectations. Any detour from the script won’t just get your customers’ attention, it risks drawing their fire.


Loren Dealy Mahler is a seasoned strategic leader with high-level government and private sector experience across national security, strategic communications and crisis management.

From the White House to corporate America, Loren has helped clients leverage effective communications strategies to further business and policy objectives, while mitigating brand impact through effective cyber incident planning and response.

Loren has advised top government officials in her roles as Director of Legislative Affairs at the National Security Council and as Communications Director for Office of Legislative Affairs at the Department of Defense. Prior to that, she ran the communications office for the House Armed Services Committee. After leaving government service, Loren helped Fortune 500 companies and national nonprofits grow and protect their organizations, as Vice President of Corporate Communications for a PR firm in New York.

In early 2016, she launched Dealy Mahler Strategies, LLC, and hasn’t looked back.

Loren is a graduate of Princeton University and holds a Masters in Public Policy from the McCourt School at Georgetown University.

The opinions expressed in this blog are those of Loren Dealy Mahler and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.