Companies’ data breach alerts are confusing, study finds

New research suggests that companies that have suffered a cyber attack are sending out unclear information in their data breach notifications.

Customers are left confused about whether or not their private information is at risk, as a result.

Conducting similar surveys, scientists have previously discovered that customers seldom take action when a company at risk contacts them about a potential data leak. The latest research analysed the quality of the notifications sent out by victim firms, to try to trace the source of the concerning consumer response.

Out of 161 notifications, 97% were deemed difficult or fairly difficult to read when compared against readability metrics. Technical language used in the notifications was found to be a sticking point.

Yixin Zou, a PhD student at the University of Michigan, said:

“Our analysis shows that requiring companies by law to send data breach notifications alone is not sufficient.

“It is important to ensure that important information such as what happened and what consumers should do to protect themselves is communicated in those notifications in a way that is understandable and actionable by consumers.”

In 2017, Privacy Rights Clearinghouse research found there to be 853 data breaches which exposed 2.05 billion records in the US, including names, residential addresses, contact details, bank account numbers, payment card details, social security numbers, shopping histories, social media data and health information.

The wave of leaks has prompted a global response, with the US among many countries to adopt new data breach notification laws in a style similar to that stipulated by the EU’s General Data Protection Regulation.

Lack of uniformity in how notifications must be worded, has enabled companies across North America to choose terms that often downplay risk, thus reducing the likelihood of consumer reaction.

The researchers said this lack of consistency may be at the root of data breach notification confusion.

Florian Schaub, an assistant professor in the School of Information at the University of Michigan, lamented the lack of incentive “for companies to invest in making data breach notifications more usable.”

“For most companies, those notifications are only seen as a requirement for complying with data breach notification laws rather than a way to educate and protect their customers. We need to rethink and rework consumer protection laws such as these to ensure that companies’ notifications are actually helpful to consumers,” Schaub said.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.