On April 14, 2016, the RAND Corporation (“RAND”) released the results of a “first-of-its-kind consumer survey” by the RAND Institute for Civil Justice (“ICJ”) (the “Report”) which was “designed to provide useful information to companies, policymakers, and the public about the consumer’s experience of data loss.”
The results were based on communications with 2,038 adults between May 14 and June 1, 2015, in the following areas:
-
How frequently do consumers receive breach notifications and what type of data are typically lost or stolen?
-
What is the typical response toward the notification, the company, and the company’s follow-on actions after a breach?
-
What are the perceived personal costs resulting from a breach?
-
How satisfied are consumers with breach notifications?
-
What actions, if any, do consumers take following a breach notification?
-
What is the average rate of customer attrition following a breach notification?
Researchers gleaned the following:
-
26 percent of respondents, or an estimated 64 million adults in the United States, recalled receiving a breach notification in the 12-month period before the survey.
-
Of those who received a notification in their lifetime, 44 percent were already aware of the breach.
-
62 percent of respondents accepted offers of free credit monitoring.
-
Only 11 percent of respondents stopped dealing with the company following a breach.
-
Of those who estimated a dollar value-equivalent cost of the breach and any inconvenience it garnered, the median cost was $500.
-
77 percent of respondents were highly satisfied with the company’s post-breach response.
-
Respondents recommended several steps companies could take to better protect their data, including offering free credit monitoring or similar assistance to ensure that compromised data would not be used improperly and providing consumers immediate notification of a breach.
It is well-known that corporations, nonprofit organizations, government agencies and individuals regularly face cyber security breaches of sensitive information. Moreover, “[a]s of March 2016, 47 states and the District of Columbia have adopted laws that require companies to notify individuals in the event that their personal information is lost or stolen.”
Navigating these disparate laws and the consumer perceptions of cyber security issues are increasingly complicated matters for everyone engaging in internet-based activities.
The Report and related information may be accessed here.
Reporter, Claudia A. Hrvatin, Washington, DC, +1 202 661 7950, chrvatin@kslaw.com.