How to write an effective data breach notification?
Data breach notifications sent by companies to affected customers are often unclear and not very helpful, University of Michigan researchers have found.
The problem(s)
The researchers have analyzed 161 data breach notifications sent by companies to US consumers between January and June 2018, and discovered that:
- Most were lengthy and would be difficult to understand for the general public (they require advanced reading skills).
- Many companies downplay or obscure the likelihood of the receiver being affected by the breach and associated risks. They do so by using hedge terms such as “potentially” and “may” and by using statements such as “we have found no evidence indicating that your breached personal data has been misused”.
- Recommended actions are usually detailed, but usually buried in long paragraphs with little to no guidance regarding their effectiveness or urgency, making it difficult for the reader to navigate and prioritize listed actions.
Recommendations
Breached companies might have the obligation to send out a breach notification to affected users and might have to meet certain content requirements, but too many companies opt for language and structure that doesn’t spur consumers to make use of available protective measures.
The researchers advise writers and designers of data breach notifications to:
- Devote more attention to visual attractiveness (headings, lists and text formatting) and visually highlight key information.
- Make the notice readable and understandable to everyone by using short sentences, common words (and very little jargon), and by not including unnecessary information.
- Avoid hedge terms and “no evidence” claims (claims of no evidence of misuse could be misinterpreted by consumers as evidence of absence of risk).
A final and very important recommendation is to provide actionable choices and nudge users towards them.
“Actions of high priority (e.g. due to high effectiveness, urgency, or easiness to initiate) should be listed before other options. For instance, credit freeze should be mentioned in the main text, and above other options such as fraud alert and credit lock, to indicate its effectiveness in preventing access to credit reports and thereby proactively reducing identity theft risks,” the researchers say.
In addition to this, notifications should explicitly recommend specific actions and directly explain the reasons why each of them is recommended.
Here’s a proposed example of actionable, prioritized, well explained guidance:
We recommend that you first place a credit freeze on your credit report, as it prevents credit, loans and services from being approved in your name without your consent. Next, you can also consider placing a fraud alert on your credit report. While less restrictive, a fraud alert tells creditors to be cautious before they open any new accounts or change your existing accounts.
The researchers also advise law makers and regulators to provide clear guidance on how to produce an effective data breach notification. That includes specifying what it means to write one in “plain language” and encouraging companies to deliver the notification via multiple channels.