Few consumers penalize companies after data breach
In Alabama, New Mexico and South Dakota you don't have to report security problems.
The findings are from one of the first examinations of consumers' experiences with data breaches and the impact it has on their relationships with the companies that lose their personal information.
The RAND survey found that among those who remembered receiving a data breach notification at any time over their lifetime, about 44 percent said they were aware of the hack even before they received notification. About 10 percent discovered the breach by identifying suspicious activity themselves.
Surprisingly, 62 percent of consumers reported they accepted offers of free credit monitoring. This counters claims made by others that consumers are experiencing "breach fatigue" — where consumers become desensitized to the notices and either discount them or ignore important information contained in the notices.
The three main reasons for declining such offers were the time and effort required to register for the service, concerns about the hacked company or the breach notification service, and whether the offer duplicated services the victim already had.
More than three-quarters of those surveyed (77 percent) said they were highly satisfied with the company's post-breach response. However, ethnic minorities were less likely to report being satisfied with the company's breach response, placed a higher dollar value on the inconvenience caused by the breach and were more likely to cease doing business with the related company.
While most states have laws requiring that consumers be notified of data breaches, three states — Alabama, New Mexico and South Dakota — have no such legislation.
Survey participants in those three states reported lower rates of having ever received a data breach notice as compared to people from states with notification laws, although the difference was not statistically significant.
The survey questioned a nationally representative sample of 2,038 adults who participate in the RAND American Life Panel, an Internet-based survey panel.
The survey was fielded between May 15 and June 1, 2015, and designed to provide a snapshot of the frequency of breach notifications and the types of data compromised, as well as consumer reactions to the breach, the notification process and the affected company.
The survey also examined estimates regarding the perceived personal cost of the breach, as well as suggestions regarding future notifications and data protection measures.
Among those experiencing a data breach during their lifetime, people with higher income and those with more education were more likely to recall being notified of a breach, as compared to younger adults (ages 18-34) and senior citizens (ages 65 and older).
More than 12 percent of those surveyed received two or more notifications in the year preceding the survey.
Among survey participants who estimated a dollar-equivalent cost for the inconvenience caused by a data breach, the median amount was $500. Thirty-two percent felt the breach imposed no dollar loss to them.
Median dollar values were higher if health information ($1,000), social security numbers ($1,000) or other financial information ($864) was compromised.
Just under 6 percent of those who had ever received a data breach notification (or an estimated 6 million U.S. adults) felt that the inconvenience cost them $10,000 or more. Of those who experienced an extreme inconvenience, the breach typically involved credit card or health information.
Respondents recommended several steps companies could take to better protect personal information. The steps that would highly satisfy most respondents included taking measures to ensure a similar breach cannot occur in the future, offering free credit monitoring to make sure lost data is not misused and notifying consumers immediately.
All three were valued more highly than receiving compensation for financial loss or an apology from the company. ■