Data-Breach Fatigue: Consumers Pay the Highest Price

By Neal O'Farrell, Security and Identity Theft Expert for

It's been more than three years since I first used the term "breach fatigue." It was in an interview with a bank-security publication and hot on the heels of the massive Epsilon data breach. "What's an Epsilon?!" I hear you scream. Exactly my point. Even though the Epsilon breach was considered absolutely massive at the time, losing 60 million customer email addresses doesn't seem like such a big deal anymore -- which might explain why so few consumers even recall the name "Epsilon" at all anymore.

Since that interview I've watched the term "breach fatigue" used with increasing frequency -- and despondency -- so much so that it now looks like it's actually a thing, a phenomenon, and a real worry about the future of data security and privacy.

Breach Fatigue: What It Means

The idea behind breach fatigue was simple. The more breaches consumers go through without experiencing any direct and tangible financial consequences, the less likely they are to care or worry about the next breach, or the next one, or the one after that, to the point that data breaches won't even be news to anyone anymore. And that could result in huge risks all around.

A company called Software Advice recently conducted a study of more than 4,000 U.S. adults to measure their awareness and recall of major data breaches. The news didn't really surprise many. For example, the study found that only two of the top breaches this year actually registered higher than 23-percent awareness. And a whopping 77 percent of those interviewed were completely unaware that eBay had a massive data breach, even though it affected nearly 150 million individuals and was only announced in May.

The report also found that fewer than 15 percent of consumers surveyed were actually aware of this year's highly publicized breaches at Michaels, PF Chang's, Neiman Marcus and even JPMorgan Chase.

Consequences of Breach Fatigue

For the consumer, breach fatigue is likely to only increase complacency and apathy and, at the same time, reduce concern and action. Consumers are already beginning to tune out news of even the most massive data breaches, especially as they look down each time and realize they're not injured. They're less likely to respond, to beef up their vigilance, and equally less likely to alter their behavior or change their habits.

Consumers are also more likely to ignore any alarms, alerts or notifications, and less likely to demand or accept offers of free credit monitoring or identity protection. After all, if they're not hurt, they don't need first aid. Most importantly, they'll be too tired and cynical to be outraged anymore. They're more likely to believe and forgive, to accept that data breaches are inevitable no matter how much money is invested in security. And without that rage, nothing has even a remote chance of changing.

And what if the sense of fatigue infects other security challenges, like identity theft and bank fraud? It's already a challenge to get consumers to take these risks seriously enough; getting consumers to take even basic precautions like passwords seriously is a perfect example. Will the cynicism of fatigue result in consumers not caring as much about their passwords as they should? Not checking their statements as often or as carefully? Not being as vigilant or as hygienic when it comes to malware?

For businesses, it will likely embolden them and make them more defiant and less apologetic about breaches, making them less concerned about the consequences of a breach and the potential losses. That in turn could lead to less of an inclination to protect data and customer privacy or invest more in security, which is something we're already seeing signs of. It will make businesses less likely to respond to criticisms, answer questions or provide any further clarity about breaches. Fewer heads will roll, and there will be less accountability.

And with a gradual lessening in consumer outrage, we are also likely to see less regulation, enforcement and punishment. What won't change is that the biggest losers will continue to be consumers. More and more of their data will be loose in the wild, making it increasingly easy for hackers to join the dots and launch devastating attacks against them. And there will be little evidence to prove which pieces of exploited data were leaked from which breached firms.

Maybe the frog has finally boiled. Maybe this creeping normality is what most businesses were hoping for all along --that we'll get to a point where breaches are so common they almost go unnoticed. That sense of inevitability poses the biggest risk to our toughest challenge: to persuade consumers to give a crap, to stay involved and to believe that it's their fight too.

This post originally appeared on Neal O'Farrell, Credit Sesame's Security and Identity Theft Expert, is one of the most experienced consumer-security experts on the planet. Over the last 30 years he has advised governments, intelligence agencies, Fortune 500 companies and millions of consumers on identity protection, cybersecurity and privacy. As Executive Director of the Identity Theft Council, Neal has personally counseled thousands of identity-theft victims, taken on cases referred to him by the FBI and Secret Service, and interviewed some of the nation's most notorious identity thieves.

Top 8 Financial Worries Of Americans