Data breach notification fatigue: Do consumers (eventually) tune out?
George V. Hulme writes:
Earlier this month more than 50 companies were involved in a massive heist of names and email addresses from Epsilon Interactive. With millions of customers of companies such as Best Buy, Brookestone, Dell, Marriott and many others affected, the question is being raised: are so many breach notifications from so many companies numbing their impact?
Read the opinions of a number of people George interviewed on CSO.
Rather than comment on all of the different views expressed, I’ll confine myself to one comment:
Still, others think that all of the breach notifications regarding names and email addresses are not doing anyone any good. “I certainly think it’s a mistake,” says [Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation]. “It’s not that I think corporations should conceal these incidents. When it’s a name and email address the statutes don’t require a notification. But that’s not why I think that they shouldn’t do it. They shouldn’t do it because it’s not helpful.”
Ah, but it could be helpful if consumers who have received, 5, 6, 7 or even more notifications from WFNNB-issued credit cards stop and think, “Do I really need all of these store-branded credit cards or am I just creating more accounts that can be hacked or compromised? Would I be better off only using one or two cards such as Mastercard and Visa instead of all these cards?”
Giving stores just a store-specific email address for email promotions is not a huge deal if they get hacked, as you can kill the email address without impacting anything important. Giving their bank your personal details to get a credit card opens up more serious risks.
There are lessons that can be learned by people who received a lot of notifications after the Epsilon breach. Being aware of spear-phishing is an important one, but it’s not the only one. Hopefully, more consumers will start to think about all of the credit cards they’ve opened for stores and gas stations and think about whether they really need them all or would be better off reducing their risk by only using one or a few major cards.