Data Breach Notifications Are Too Complex
Giovanni Serrapere 
• Bookmarks: 49
The meteoric rise of electronic transactions has resulted in Americans becoming increasingly vulnerable to data breaches. Data breaches can cause grave harm to the consumer, potentially resulting in identity theft and causing significant monetary loss. In 2017 alone, over 2 billion records were breached, costing impacted consumers $1,000 on average. Most companies have now adopted a Data Breach Notification (DBN) system to inform consumers and enable them to take preventative measures. Yet, consumers often ignore Data Breach Notifications due to their needless complexity.
DBN laws vary widely by state, resulting in inconsistent formatting and language. Ambiguous language misleads consumers and causes them to potentially downplay the risk. According to research conducted at the University of Michigan, the jargon used in DBNs is often too sophisticated, making it impossible to make informed decisions.
DBNs are inconsistently provided and are often needlessly opaque because there are no overarching federal standards. Federal data regulations tend to be sector-specific. For instance, the Health Insurance Portability and Accountability Act (HIPAA) regulates consumer health information, and the Graham-Leach-Bliley Act (GLBA) regulates the financial sector. State data protection laws, like the California Consumer Privacy Act (CCPA) and Maryland’s Personal Information Protection Act (PIPA), sometimes provide DBN requirements but are limited in geographic scope. Both HIPAA and CCPA call for the use of “plain language” to ease consumer readability, while GLBA and PIPA do not. DBNs are not visually captivating and therefore leave consumers overwhelmed and without clear steps for action. The human brain has trouble distinguishing important information without clear visual cues.
DBNs use soft language to downplay the risk and lull their customers into a false sense of security. According to the University of Michigan study, “consequences and risks of the data breach were usually obfuscated by hedge terms such as ‘potentially’ and ‘may,’ as well as a ‘no evidence’ statement.” (Zou et al. 2019, 2) Although hedge terms benefit companies from a liability perspective, the terms give consumers a misleading aura of invulnerability. The research suggests that downplaying risks exacerbates inherent biases like the optimism bias, where people underestimate their likelihood of a poor outcome. Since hedge terms lead consumers to believe they will remain unaffected, proper precautions are not taken and consumers remain vulnerable after a data breach.
The complexity of the language used also discredits DBNs. Although criticizing DBNs for being complicated may seem arbitrary, the University of Michigan researchers quantitatively demonstrate this assertion. Using publicly available information from Maryland’s State Attorney General Office, 161 random DBNs were assessed for reading difficulty with the Flesch-Kincaid Grade Level test. The results show that DBNs had an average FGL score of 10.02, meaning a tenth-grade reading ability was required to understand the DBNs. For context, research suggests that reading materials aimed at the public should be anywhere from a 7 to a 9 on the FGL scale. Furthermore, a whopping 97 percent of the DBNs assessed were classified as difficult or fairly difficult to read on the Flesch Reading Ease Score scale. Although the University of Michigan study did not show how complexity directly impacts consumer behavior, prior research involving privacy policies shows poor readability contributes to consumer inaction.
The researchers recommend updating both federal and state laws with standardized DBN requirements. They suggest “plain language” requirements like those used in the insurance industry, which utilizes the Flesch Reading Ease Score test. The researchers also call for the use of lists to draw the reader’s attention and highlight important information. Further, the researchers believe electronic forms of communication should be used to notify consumers of a breach, instead of standard mail. The University of Michigan study suggests that updating federal and state laws will allow consumers to make informed decisions and be reached faster.
DBN standardization, which emphasizes structure and readability, will empower consumers to protect themselves against damages. The University of Michigan study implies that DBNs are needlessly complicated. DBNs are legally disparate, downplay risk, and use complex language. These problems lead consumers to ignore DBNs. The study advocates for a federal law that standardizes DBNs.
Zou, Yixin, Shawn Danino, Kaiwen Sun, and Florian Schaub. 2019. “You ‘Might’ Be Affected: An Empirical Analysis of Readability and Usability Issues in Data Breach Notifications.” Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems 194, (May): 1–14. https://doi.org/10.1145/3290605.3300424.
