Why Prompt Breach Notification Is Important

Linda Musthaler
By | July 15, 2014

Posted in: Network Security Trends

In a blog post last April, I wrote about a merchant that waited up to a year to notify customers that their payment card information may have been compromised in a breach. There were extenuating circumstances; the federal authorities investigating the breach asked the merchant to stay silent about the incident during the lengthy investigation. The breach notification law in the state of Texas, where the merchant is headquartered, permits a delay in notifying potential victims of stolen data if it is requested by law enforcement agencies.

Needless to say, consumers whose data might have been compromised by this breach were none too happy about the long delay in being told about it. Now a new study shows they have good reason to be upset. A report produced by Javelin Strategy & Research and sponsored by the National Consumers League (NCL) indicates that data breach notifications might help prevent multiple fraud incidents.

According to a 2014 Identity Fraud Report by Javelin, nearly 1 out of 3 data breach victims in 2013 suffered identity fraud, compared with 1 in 9 in 2010. Obviously the connection between data breaches and fraud is growing. But the good news is that consumer awareness of breaches – and the potential for fraud on their accounts – is on the rise, too. This is probably because so many people have been notified one or more times about their personal data being compromised.

But notification is a good thing because it often prompts consumers to sign up for email or mobile alerts about their credit or checking accounts or to put fraud alerts on their credit reports. This makes data breach victims 15% less likely to suffer multiple fraud events compared with all fraud victims (i.e., the fraud doesn't necessarily stem from a breach).

These alerts work. I can personally attest to the benefit of being notified of a merchant breach in which my payment card data might have been stolen. It led my family to sign up for credit monitoring as well as sign up for email and mobile alerts if our accounts are used in a card-not-present transaction. It turns out that one of our card accounts was used fraudulently in another state and the card issuer contacted us quite promptly about the charges, which we denied. That card was canceled and we received a new one.

When I was shopping for a new car in May and applied to several banks for a car loan, I was alerted to activity on my credit reports when the banks tried to check my credit worthiness. In this case it wasn't fraudulent activity but I was relieved to know that the alerts were there in case I had not authorized the credit checks.

Forty seven states, the District of Columbia, and three U.S. territories have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information—and for good reason. When people are notified promptly of a breach, they are more likely to take some sort of action that will reduce the likelihood of becoming a victim of fraud.

You May Also Be Interested In: