Shostack + Friends Blog Archive

 

Overwhelmed or Under-notified: Consumers and Breach Notices

In asking why customers don’t leave after a breach, there are two theories that people have put forth that are interestingly contradictory. the first is that they don’t know about the breaches. This was suggested by a questioner at Toorcon Seattle. The second is that customers are overwhelmed with notices. This is popular amongst bankers, insurance people, and my buddy Scott. The trouble is, I haven’t met anyone who says that they’ve gotten so many notices they just ignore them now. Absent data, I’m leaning toward the first explanation. Have any readers gotten so many notices that they’re ignoring them?

5 comments on "Overwhelmed or Under-notified: Consumers and Breach Notices"

  • yoshi says:

    My parents still shopped at TJMaxx after they heard it on the news – why? because they didn’t understand what it means to have that information stolen (they do now after I explained it to them). I suspect that is the case in many instances.

  • Scott says:

    I’m not that big a fan of the volume argument, though I do think it is a real threat to the value of notification as we fail to generate fewer of them.
    What about simply not caring? The compromise of a credit card number is virtually without consequence to the average consumer. By lopping together all “personal information” we fail to distinguish the scary stuff from the trivial.

  • MitmWatcher says:

    Ignorance is Bliss,Most people dont know what a data breach means but also dont know how they are effected if stolen data is misused by bad guys.
    Most people are optimistically bias i.e they tend to believe that they will not be effected when compared to most others engaged in the same activity,like we think we think car accidents happen only to other people, and why we can at the same time.
    Some more insights are given by Bruce in his eassy http://www.schneier.com/essay-155.html

  • Owen says:

    What about the notion that there’s no use in switching because you think you’re just as likely to have your data lost by any other company? Sometimes when you pick who to do business with you end up trying to find which company is the least evil.

  • If the retailer loses your credit card number, then the sensible thing is to change your credit card. Frequently.
    Is it worth avoiding that retailer in future? Only if you think (a) they haven’t learned from the error and/or (b) the other retailers are any more security-minded.
    Of course if the bank itself loses your credit card number, then that’s a different matter entirely.

Comments are closed.