Shostack + Friends Blog Archive


The "Too Many Notices" Meme

There’s this idea out there that consumers don’t need to be told when their products are broken. Not for things like lead paint on toys, mind you. No one would believe that. It’s when their personal data goes missing. If the company doesn’t think it’s a problem, they should be able to keep it a secret. “To prevent customers from being overwhelmed.” Even normally level headed folks like Deborah Platt Majoras buy into this.

I have a number of responses to this:

  1. We don’t stop notifying people of poorly manufactured products. I see lots of news about Chinese-made toys. I’m tired of hearing about them. But I don’t want the notices to stop.
  2. I’d like to see a number. How many notices is too many? A survey. Even an instance of a real person saying “I’ve gotten too many of these, I don’t know what to do, and I don’t want to know anymore.
  3. Trying to decide if a breach is risky is hard. We don’t have the data you need to make that assessment. We don’t have agreement on what bad outcomes to avoid. Arguing about these floors is an expensive distraction.

Photo: Overload, from ShutterStock.

One comment on "The "Too Many Notices" Meme"

  • There was quite a bit of discussion when GLBA came out that allowed companies to start sharing data on an opt-out basis by simply sending you a notice.
    There was quite the number of complaints from people about the ridiculously long-winded inserts in people’s credit card bills explaining how the bank would now be sharing their data widely internally.
    Its sort of like refunds… companies go out of their way to make the refund check look like junk mail so you never open the envelope and cash the check.
    Without standards for how we notify people of data breaches we can run into the same problem….

Comments are closed.