Why do consumers often take little action when facing security breaches? The answer may lie in the language and methods companies use to notify them, according to researchers at the University of Michigan. 97 percent of the 161 sampled notifications were, according to readability metrics, difficult or fairly difficult to read.
Due to each state having its own data breach law, the threshold for when companies must notify consumers, how soon after a breach they must send notifications, and what that notification must look like vary across states.
Companies are able to use hedge terms that downplay risk—using phrases like “you might be affected” and “you are likely to be affected” in 70 percent of notifications and saying “at this time, we have no evidence of exposed data being misused” 40 percent of the time. This lack of consistency in addressing the cause of the breach, the date of occurrence, and the amount of exposure time can create confusion, and companies have little incentive to bring more clarity to the consumer.
Florian Schaub, an assistant professor in the School of Information, believes, “We need to rethink and rework consumer protection laws such as these to ensure that companies’ notifications are actually helpful to consumers.”
Building on their previous research that showed consumers often take little action when facing security breaches, researchers analyzed the data breach notifications companies sent to consumers to see if the communications might be responsible for some of the inaction. They found that 97% of the 161 sampled notifications were difficult or fairly difficult to read based on readability metrics, and that the language used in them may have contributed to confusion about whether the recipient of the communication was at risk and should take action. “Our analysis shows that requiring companies by law to send data breach notifications alone is not sufficient,” says Yixin Zou, a doctoral student at the University of Michigan. “It's important to ensure that important information such as what happened and how consumers can protect themselves is communicated in an understandable and actionable way by consumers.”