Why do consumers often take little action when facing security breaches? The answer may lie in the language and methods companies use to notify them, according to researchers at the University of Michigan. 97 percent of the 161 sampled notifications were, according to readability metrics, difficult or fairly difficult to read. 

Due to each state having its own data breach law, the threshold for when companies must notify consumers, how soon after a breach they must send notifications, and what that notification must look like vary across states. 

Companies are able to use hedge terms that downplay risk—using phrases like “you might be affected” and “you are likely to be affected” in 70 percent of notifications and saying “at this time, we have no evidence of exposed data being misused” 40 percent of the time. This lack of consistency in addressing the cause of the breach, the date of occurrence, and the amount of exposure time can create confusion, and companies have little incentive to bring more clarity to the consumer.

Florian Schaub, an assistant professor in the School of Information, believes, “We need to rethink and rework consumer protection laws such as these to ensure that companies’ notifications are actually helpful to consumers.”