A full 67% of survey respondents said that the data breach notification they received did not provide enough information about the data breach, and nearly 61% said that they had problems understanding the notification.
For the survey, the Ponemon Institute polled 2,832 US consumers, only 25% of whom could remember receiving a data breach notification and therefore could provide answers to the survey questions.
A discouraging 37% of respondents said that they could not tell what the data breach incident was about from the notification they received, up from 28% in a similar survey conducted by the Ponemon Institute in 2005.
Michael Bruemmer, vice president of Experian Data Breach Resolution, noted that the variations in state laws regarding data breach notification contribute to the confusion among consumers. Currently, 46 states and the District of Columbia have separate data breach notification laws.
Bruemmer told Infosecurity that the federal data breach notification law, which is being considered by Congress, would help to reduce consumer confusion about data breaches. “A federal data breach notification law will help tremendously and that will also create a more level notification playing field”, he said.
An estimated 63% of respondents believe organizations should be obligated to compensate data breach victims with cash, their products, or services; 58% said the organization has an obligation to provide identity protection services; and 55% said they should provide credit-monitoring services.
According to the survey, 83% of consumers believe organizations that fail to protect their personal information are untrustworthy, and 82% said that the privacy and security of their personal information is important.
In response to being notified of a data breach, 15% of respondents said that they would terminate their relationship with the organization, and 39% said they would consider ending the relationship; 35% said their decision would be depend on whether the organization has another data breach.
“When companies are making the decision to notify and determining how to notify, they should take into consideration that if they were the affected party in the breach, how they would like to be communicated with. If more companies took that simple tack, in addition to following mandated requirements, I think it would help solve the problem”, Bruemmer advised.