Academia.eduAcademia.edu

Outline

Title
Abstract
FAQs
Figures
Introduction
The Dataset
Results
Conclusions
References

Data Breaches and the Dilemmas in Notifying Customers

Profile image of Fabio BisogniFabio Bisogni

Abstract

While the discussion about a federal law on data breach notification is ongoing and a rash of large, costly data breaches has galvanized public interest in the issue, this paper investigates on the phenomenon of data breach notification letters. In case of any data breach a company faces a number of dilemmas on how to inform the customers. The choices that a company makes on the missive content result decisive in having a prompt customers' reaction against identity theft and eventually in shaping the relations between customers and the organization itself. Starting from the various regulations in place in US, the analysis has been performed focusing on the content of over 210 letters sent in US in the first semester of 2014. In particular letters are classified based on elements that can be isolated and analysed, e.g. the level of transparency used in communicating the event causing the breach or the time span between data breach identification and its notification to customers....

FAQs

sparkles

AI

What explains the variation in data breach notification responses across states?add

The research indicates that 47 US States have different data breach laws, impacting notification practices. For example, California requires notifications to include specific details about the information accessed and a company's response within a set timeframe.

How does communication style affect customer perception during data breaches?add

The analysis reveals that letters addressing customers by name and providing clear information are seen as more trustworthy. Conversely, generic greetings and vague language are likely perceived as spam and minimize urgency to act.

What are the consequences of delayed notifications for breached organizations?add

The study finds that the average delay between breach discovery and notification is 34.65 days. Such delays can exacerbate reputational damage and increase the likelihood of identity theft for affected customers.

When considering customer notification, how do organizations balance legal compliance and reputation?add

Organizations often face a dilemma between transparency and minimizing reputational damage—this is illustrated in the 24.41% of letters classified as 'Cold', emphasizing transparent communication yet neutral tone. The findings show a tendency to downplay incidents to reduce potential backlash.

What types of information are most frequently included in breach notifications?add

Notably, 87% of State laws require notifications to specify the type of personal information breached, alongside the entity's contact details in 80% of cases. However, only 15 out of 47 States mandated comprehensive content, leading to inconsistently informative letters.

Figures (14)
Table 1 — Mandatory elements of data breach notification by State
Table 1 — Mandatory elements of data breach notification by State
In case of box b, the description of the event can be very detailed and clear, but opacity can be found in the description of the accessed/acquired PII, not specifying clearly which ones were breached. In order to determine the level of clarity we defined a simple description with the one of the PII details. To simplify the analysis we assumed there are only two possible options for trans parency: transparent and opaque. In case of the event descri meets at least 2 out of the following 3 requirements (the type of the o detai clear rganisation reaction is indicated) and opaque if it meets on tool that crosses the level of transparency in the event ption the notification is classified as transparent when it event is specified, the generating causes are described, y 1 of the requirements listed above. In case of the PII s the letter is considered transparent if the personal identi fiable information accessed/acquired by third party are y specified and opaque if not. The “crossing” tool provides basically 4 areas of clarity as shown in Figure 1. Clearly within each area we may find many shades of clarity, to be noted particularly in the letters where either the even t or the PII lack some transparency (see boxes b and c in the figure below).
In case of box b, the description of the event can be very detailed and clear, but opacity can be found in the description of the accessed/acquired PII, not specifying clearly which ones were breached. In order to determine the level of clarity we defined a simple description with the one of the PII details. To simplify the analysis we assumed there are only two possible options for trans parency: transparent and opaque. In case of the event descri meets at least 2 out of the following 3 requirements (the type of the o detai clear rganisation reaction is indicated) and opaque if it meets on tool that crosses the level of transparency in the event ption the notification is classified as transparent when it event is specified, the generating causes are described, y 1 of the requirements listed above. In case of the PII s the letter is considered transparent if the personal identi fiable information accessed/acquired by third party are y specified and opaque if not. The “crossing” tool provides basically 4 areas of clarity as shown in Figure 1. Clearly within each area we may find many shades of clarity, to be noted particularly in the letters where either the even t or the PII lack some transparency (see boxes b and c in the figure below).
Figure 2 — Data breach sample 1/1/2014-30/6/2014 4. Implementing the framework and shaping the letter types As a token of your appreciation for your continued patronage, we are also enclosing a 20% discount code that you may use on your next purchase from us at www... [7FL]
Figure 2 — Data breach sample 1/1/2014-30/6/2014 4. Implementing the framework and shaping the letter types As a token of your appreciation for your continued patronage, we are also enclosing a 20% discount code that you may use on your next purchase from us at www... [7FL]
Figure 3 — Data sample by event The total number of 213 notifications has been analysed across all framework elements: each letter was classified in terms of type of event, type of PII, arrangement and options for components. The single notification elements were recorded using an inductive content analysis. Type of PII The dataset shows that the notified breach are related mostly to Social Security Number and financial information, including data/credit card details. In particular one letter out of two was related to breaches involving such data. Personal Health information and other Personal information were included in the 14% of the cases.
Figure 3 — Data sample by event The total number of 213 notifications has been analysed across all framework elements: each letter was classified in terms of type of event, type of PII, arrangement and options for components. The single notification elements were recorded using an inductive content analysis. Type of PII The dataset shows that the notified breach are related mostly to Social Security Number and financial information, including data/credit card details. In particular one letter out of two was related to breaches involving such data. Personal Health information and other Personal information were included in the 14% of the cases.
Starting from this sample it can be observed that the combination of the letter elements defines the ultimate form of communication. We identified the clarity of the event, the tone on the consequences, the action suggested to the reader and the interaction fostered by the writer as drivers for the letter type identification. In fact, the analysis of the available letters allows to determine the following 6 letter types, which cover almost 97% of the sample analysed as Table 6 shows.
Starting from this sample it can be observed that the combination of the letter elements defines the ultimate form of communication. We identified the clarity of the event, the tone on the consequences, the action suggested to the reader and the interaction fostered by the writer as drivers for the letter type identification. In fact, the analysis of the available letters allows to determine the following 6 letter types, which cover almost 97% of the sample analysed as Table 6 shows.
Table 8 — Data breaches by event and letter type (% )
Table 8 — Data breaches by event and letter type (% )
Table 9 - Data breaches by event and key elements (% ) tis worth noticing that in the cases where a company could be more easily identified as ultimate responsible of the data breach, and therefore possibly subject to legal actions, the use of no worries letters in order to minimize the problem is present in high percentage. Specifically in 100% of the cases if payment card fraud, 30,91% of the cases for unintended disclosure, 20% if data breaches are generated by insiders and 20% if the physical loss was the origin of the potentially accessed PII. It is interesting that in case of junk letters the insider event shows a pretty high share of this letter type 26,67%). When the breach is generated by physical loss the cold letter type is used in the 43% of the cases.
Table 9 - Data breaches by event and key elements (% ) tis worth noticing that in the cases where a company could be more easily identified as ultimate responsible of the data breach, and therefore possibly subject to legal actions, the use of no worries letters in order to minimize the problem is present in high percentage. Specifically in 100% of the cases if payment card fraud, 30,91% of the cases for unintended disclosure, 20% if data breaches are generated by insiders and 20% if the physical loss was the origin of the potentially accessed PII. It is interesting that in case of junk letters the insider event shows a pretty high share of this letter type 26,67%). When the breach is generated by physical loss the cold letter type is used in the 43% of the cases.
Table 10 — Average time span between data breach discovery date ad breach notification date
Table 10 — Average time span between data breach discovery date ad breach notification date
A concluding aspect of the analysis is referred to the timing of the notification, the ultimate compliance dilemma fo organisation. Figure 4 - Time span (days) between data breach discovery date and breach
A concluding aspect of the analysis is referred to the timing of the notification, the ultimate compliance dilemma fo organisation. Figure 4 - Time span (days) between data breach discovery date and breach
Table 12 - Average time span between data breach discovery date and initial potential harm date 114 cases indicate also the date when the event started (and so the potential harm). In case of unintended disclosure this could be when the file has been sent out, in case of insiders this could be the date when the employee might have started his criminal intentions. These data reveals an even more worrying situation. We identified in fact the average of 117 days’ (see Table 11) between the communication and the day when the potential harm started, with 51'° cases over 2 months.
Table 12 - Average time span between data breach discovery date and initial potential harm date 114 cases indicate also the date when the event started (and so the potential harm). In case of unintended disclosure this could be when the file has been sent out, in case of insiders this could be the date when the employee might have started his criminal intentions. These data reveals an even more worrying situation. We identified in fact the average of 117 days’ (see Table 11) between the communication and the day when the potential harm started, with 51'° cases over 2 months.
Figure 5 - Time span (days) between initial potential harm date and data breach notification date Only in 142 of the letters the time of the event identification is specified. This enables to calculate in days the average time from the discovery of the event to the moment of the communication to customers. The result’? is 34,65 days (se¢ Table 10), with 71'* cases over one month.
Figure 5 - Time span (days) between initial potential harm date and data breach notification date Only in 142 of the letters the time of the event identification is specified. This enables to calculate in days the average time from the discovery of the event to the moment of the communication to customers. The result’? is 34,65 days (se¢ Table 10), with 71'* cases over one month.

Related papers

Estimating the size of the iceberg from its tip: An investigation into unreported data breach notifications
Fabio Bisogni

2017

A decade has passed since the enactment of data breach notification laws in numerous U.S. states. Whether their goal of incentivizing better security practices has been realized is the subject of an ongoing debate. What is clear, however, is that they have offered more visibility into the state of data breach events in the United States. By looking at the available breach statistics we can easily assume that an unknown number of breaches have not become public knowledge. With the aim to tackle this issue our investigation sets out to provide an enhanced understanding of these breaches. In particular the contributions of this paper are as follows: (i) to model the impact of DBNL provisions on the number of known data breaches and breach notification times, while controlling for sector and state differences; (ii) to estimate the number of breaches about which notifications have been issued but that are not publicly reported; and (iii) to discuss key elements of DBNL that make those laws effective in view of the implementation of the European regulation on security and data breaches. The results of our research lead to conclude that the data breaches we are aware of, because publicly know, are just the tip of an iceberg. However, the dimension of what is visible and what is hidden strongly depends on how DBNL are built, i.e. which are the relevant provisions to be included. We provide such indications widening the discussion on the subject by reporting on sector and event specific notification and detection times.

View PDFchevron_right
An Empirical Investigation of Company Response to Data Breaches
Hamid Reza Nikkhah, Varun Grover

MIS Quarterly, 2022

Companies may face serious adverse consequences as a result of a data breach event. To repair the potential damage to relationships with stakeholders after data breaches, companies adopt a variety of response strategies. However, the effects of these response strategies on the behavior of stakeholders after a data breach are unclear; differences in response times may also affect these outcomes, depending on the notification laws that apply to each company. As part of a multi-method study, we first identify the adopted response strategies in Study 1 based on content analysis of the response letters issued by publicly traded U.S. companies (n = 204) following data breaches; these strategies include any combination of the following: corrective action, apology, and compensation. We also find that breached companies may remain silent and adopt a no action strategy. In Studies 2 and 3, we examine the effects of various response strategies and response times on the predominant stakeholders affected by data breaches: customers and investors. In Study 2, we focus on customers and present a moderated-moderated-mediation model based on the expectancy violation theory. To test this model, we design a factorial survey with 15 different conditions (n = 811). In Study 3, we focus on investors and conduct an event study (n = 166) to examine their reactions to company responses to data breaches. The results indicate the presence of moderating effects of certain response strategies; surprisingly, we do not find compensation to be more effective than apology. Further, the magnitude of the moderating effects of response strategies is contingent upon response time. We also find that the negative effects of data breaches disappear after 6 months. We interpret the results and provide implications for research and practice.

View PDFchevron_right
Data Breach Disclosure
Melissa Dark

Concepts, Methodologies, Tools and Applications

As information technology has become more ubiquitous and pervasive, assurance and security concerns have escalated; in response, we have seen noticeable growth in public policy aimed at bolstering cybertrust. With this growth in public policy, questions regarding the effectiveness of these policies arise. This chapter focuses on policy analysis of the state data breach disclosure laws recently enacted in the United States. The state data breach disclosure laws were chosen for policy analysis for three reasons: the rapid policy growth (the United States have enacted 45 state laws in 6 years); this is the first instantiation of informational regulation for information security; and the importance of these laws to identity theft and privacy. The chapter begins with a brief history in order to provide context. Then, this chapter examines the way in which historical, political and institutional factors have shaped our current data breach disclosure policies, focusing on discovering how p...

View PDFchevron_right
Data Breaches and Effective Crisis Communication: A Comparative Analysis of Corporate Reputational Crises
Michael schonheit

Corporate Reputation Review

Please provide the closed quote in the sentence 'They coined the term...' "Breach Fatigue" 7. Please provide the closed quotes in the sentence 'The WSJ reported how the MSCI index in...' Equifax "was ill prepared to face the increasing frequency and sophistication of data breaches" [E5: 1]. 8. Please confirm the section level headings add heading for 'Findings and Discussion'

View PDFchevron_right
Personal data disclosure and data breaches: the customer's viewpoint
Maurizio Naldi

arXiv preprint arXiv:1203.3870, 2012

Abstract: Every time the customer (individual or company) has to release personal information to its service provider (eg, an online store or a cloud computing provider), it faces a trade-off between the benefits gained (enhanced or cheaper services) and the risks it incurs (identity theft and fraudulent uses). The amount of personal information released is the major decision variable in that trade-off problem, and has a proxy in the maximum loss the customer may incur. We find the conditions for a unique optimal solution to exist for ...

View PDFchevron_right
Stakeholder perspectives regarding the mandatory notification of Australian data breaches
Evonne Miller

Media and Arts Law …, 2010

View PDFchevron_right
The Effect of a Data Breach Announcement on Customer Behavior: Evidence from a Multichannel Retailer
rishika rishika

Journal of Marketing, 2018

In this study, the authors assess the effects of a data breach announcement (DBA) by a multichannel retailer on customer behavior. They exploit a natural experiment and use individual customer transaction data from the retailer to conduct a detailed and systematic empirical examination of the effects of a DBA on customer spending and channel migration behavior. To identify the effects, the authors compare the change in customer behavior before and after the DBA between a treatment group (customers whose information is breached) and a control group (customers whose information is not breached) using the difference-in-differences modeling framework. They find that although the data breach results in a significant decrease in customer spending, customers of the firm migrate from the breached to the unbreached channels of the retailer. The findings further reflect that customers with a higher retailer patronage are more forgiving because the negative effects of the DBA are lower for cus...

View PDFchevron_right
The Impact of Federal and State Notification Laws on Security Breach Announcements
Sanjay Goel

Communications of the Association for Information Systems

Firms are under increasing regulatory pressures to protect consumers' confidential information. The focus of this article is to examine the impact of federal and state breach notification laws in coaxing organizations to improve security of customers' confidential information. Specifically, we use event-study methodology to examine the impact of security breach announcements on the market value of firms during the period before and after the enactment of this legislation. Our results show that the negative impacts of security breach announcements on stock prices have been reduced significantly after the enactment of federal and state security breach notification laws.

View PDFchevron_right
Data Breach – Its Effects on Industry
IJDIIC IJDIIC

Zenodo (CERN European Organization for Nuclear Research), 2022

In this Digital world, Data has become one of the most crucial parts in every field. To protect this sensitive piece of information many methods and technologies are coming into existence. A data breach reveals sensitive, protected and confidential information to an unauthorized person. Increasingly opportunities exist for information to leak out as our computers and mobile devices become more associated. Data leaks pose a serious threat to companies and can cost them significantly either financially and reputationally. The long-term effects of a data breach can spread throughout a company, having an effect on all parties involved, including the user base, staff, and cybersecurity teams in charge of repair. By giving priority to the most frequently attacked industries, this article will advance understanding about data hacking incidents and aid in securing corporate data.

View PDFchevron_right
The Impact of Data Breach on Reputed Companies
IJRASET Publication

International Journal for Research in Applied Science & Engineering Technology (IJRASET), 2022

We'll come to digital India we the Indians are at the top position in internet usage at the same time India is ranked third among list of countries globally where most of the threats were detected &second globally when it comes to spam and phishing (misleading emails, weblink etc. A data breach is the planned or inadvertent disclosure of confidential information to unauthorized parties. The impact of cyber-attack on a Company is much higherthan the impact on an individual.Data leakage poses serious threats to companies, including significant reputational damage and financial losses. Day by day as the volume of data is growing exponentially and data breaches are happening more frequently than ever before, identifying and preventing data loss has become one of the most pressing security concerns for organizations. This review article helps to learn about company's data leak threats, recent data breach incidents and its impact on reputed companies.

View PDFchevron_right

References (99)

  1. In 2001, the annual total loss of complaints referred to the IC3 (Internet Crime Complaint Center) amounted to approximately 17.8 million U.S. dollars and grew to 781.84 million U.S. dollars in 2013. In 2012 the amount was 581,44 million U.S. dollars. Statista 2015 20 Note that Maine Attorney General only lists data breaches without providing letters for consultation. Maine was therefore not included in the analysis. This list allows us however to observe that adding a fifth state to the sample there would be additional 29 data breaches, bringing the total to 242 (64% of total data breaches then would be covered by 5 States out of 47)
  2. Malware Analysts Have the Tools to Defend Against Cyber-Attacks, But Challenges Remain, Threattrack security, White Paper, November 2013 22 http://cybercrimeupdates.blogspot.it/2008/08/over-89-of-security-incidents-not.html / References Alred, G. J., Brusaw, C. T., & Oliu, W. E. (2011). The business writer's handbook. Boston, MA: Bedford/St.
  3. Martin's Baker Hostetler (2014). State Data Breach Statute Form Benoit, W. L., & Drew, S. (1997). Appropriateness and effectiveness of image repair strategies. Communication Reports, 10, 153-163
  4. Bies, R. J. (2013). The Delivery of Bad News in Organizations: A Framework for Analysis. Journal of Management Vol. 39 No. 1, January 2013 136-162
  5. Bies, R. J., & Shapiro, D. L. (1987). Interactional fairness judgments: The influence of causal accounts. Social Justice Research, 1: 199-218.
  6. Bisogni, F. (2013). Evaluating Data Breach Notification Laws -What Do the Numbers Tell Us?. TPRC 41: The 41st Research Conference on Communication, Information and Internet Policy, September 2013
  7. Bovée, C. L., & Thill, J. V. (2012). Writing negative messages. In Business communication today (11th ed.). Upper Saddle River, NJ: Prentice Hall
  8. Bradford, J. L., & Garrett, D. E. (1995). The effectiveness of corporate communicative responses to accusations of unethical behavior. Journal of Business Ethics, 14, 875-892
  9. California Civil Code § 1729.98
  10. Carter, C. (2012). Negative messages. In Keys to business communication: Success in college, career, and life. Upper Saddle River, NJ: Prentice Hall
  11. Cohen, J. R. (1999). Advising clients to apologize. Southern California Law Review, 72, 1009-1073 Commercial Law League of America (2012). Data Breach Notification Laws by State Conlon D. E., & Murray N. M. (1996). Customer perceptions of corporate response to product complains: the role of explanations, Academy of Management Journal, Vol.39, No. 4, 1040-1056
  12. Creelman, V. (2012). The Case for "Living" Models. Business Communication Quarterly 75 (2) 192-207 Data breaches and identity theft (2005). Prepared statement of the Federal Trade Commission before the Committee on Commerce, Science and Transportation. US Senate 109 th Congress.
  13. Dean, D. W. (2004). Consumer reaction to negative publicity: Effects of corporate reputation, response, and responsibility for a crisis event. Journal of Business Communication, 41, 192-211
  14. DeKay, S. H. (2012). Where is the research on Negative Messages. Business Communication Quarterly 75 (2) 173-175 EU Commission Regulation No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches. Under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications
  15. Faulkner B. (2007). Hacking into Data Breach Notification Laws. 59 Florida Law Review Fuchs-Burnett, T. (2002). Mass public corporate apology. Dispute Resolution Journal, 57(3), 26-32 GAO United States Government Accountability Office (2007). Personal Information. Data Breaches are frequent, but evidence of resulting Identity Theft is limited; however, the full extent is unknown. GAO Report to Congressional Requesters
  16. Greenberg, J. (1990). Looking fair vs. being fair: Managing impressions of organizational justice. In B. M. Staw & L. L. Cummings (Eds.), Research in organizational behavior, vol. 12:111-157. Greenwich, CT: JAI Press Hynes, G. E. (2008). Routine messages. In Managerial communication: Strategies and applications (4th ed.). Columbus, OH: McGraw-Hill Identity Theft Resource (2014). 2014 Data Breach Reports Javelin Strategy & Research (2011). Identity Fraud Survey Report: Consumer Version Kolin, P. C. (2007). Successful writing at work. Boston, MA: Houghton Mifflin
  17. Lehman, C. M., DuFrene, D. M. (2012). Delivering bad-news messages. In BCOM (3rd ed.). Mason, OH: South-Western/Cengage Learning
  18. Lyon, L., & Cameron, G. T. (1998). Fess up or stonewall? An experimental test of prior reputation and response style in the face of negative news coverage. Web Journal of Mass Communication Research, 1(4). Retrieved May 1, 2015 from http://www.scripps.ohiou.edu/wjmcr/vol01/1-4a.htm
  19. Loewenstein, G., John, L., & Volpp, K. (2012). Using decision errors to help people help themselves. In E. Shafir (Ed.), The behavioral foundations of policy. Princeton, NJ: Princeton University Press Locker, K. O. (1999). Factors in reader responses to negative letters: Experimental evidence for changing what we teach. Journal of Business and Technical Communication, 13, 5-48
  20. Locker, K. O., & Kienzler, D. S. (2010). Delivering negative messages. In Business and administrative communication (9th ed.). New York, NY: McGraw-Hill/Irwin
  21. Mintz Levin (2012). State Data Security Breach Notification Laws Patel, A., Reinsch, L. (2003). Companies Can Apologize: Corporate Apologies and Legal Liability. Business Communication Quarterly 66.1, 9-25
  22. Perkins (2013). Security Breach Notification Chart Pike, G. H. (2008). Legal Issues: Data Breaches Top the Agenda at RSA Conference Ponemon Institute LLC (2012). 2012 Consumer Study on Data Breach Notification Ranger, S. (2007, September 3). Data breach laws make companies serious about security. Silicon.com. Available at http://management.silicon.com/itdirector/0,39024673,39168303,00.htm?r=1.
  23. Romanosky, S., Telang R., & Acquisti, A. (2011). Do data breach Disclosure Laws Reduce Identity Theft?. Journal of Policy Analysis and Management, Vol. 30, No. 2, 256-286
  24. Seeger, M. W., Sellnow, T. L., & Ulmer, R. R. (1998). Communication, organization, and crisis. In M. E. Roloff (Ed.), Communication yearbook (Vol. 21, pp.231-275). Thousand Oaks, CA:SAGE
  25. Schwartz, P., & Janger, E. (2007). Notification of Data Security Breaches. 105 Michigan Law Review 913
  26. Schwartz, P. M., & Solove, D. J. (2014). Reconciling Personal Information in the United States and European Union, 102 Cal. L. Rev. 877
  27. Shwom, B. G., & Snyder, L. G. (2012). Communicating bad-news messages. In Business communication: Polishing your professional presence. Upper Saddle River, NJ: Prentice Hall Threattrack security (2013) Malware Analysts Have the Tools to Defend Against Cyber-Attacks, But Challenges Remain. White Paper
  28. Veltsos, J. R. (2012). An Analysis of Data Breach Notifications as Negative News. Business Communication Quarterly 75 (2) 192-207
  29. Verizon (2014). 2014 Data breach investigations report http://cybercrimeupdates.blogspot.it/2008/08/over-89-of-security-incidents-not.html / 36 intuit-30 January 2014
  30. Beebe Healthcare-31 January 2014 38 Neilsen letter to Consumers re Security Breach-03 February 2014 39 University of California Davis Medical Center-03 February 2014
  31. Greenleaf Book Group, LLC-03 February 2014 41 Bank of the West-05 February 2014
  32. K. Min Yi, M.D. General Surgery-05 February 2014
  33. St. Joseph Health System-05 February 2014
  34. Mimeo.com-05 February 2014
  35. San Francisco Airport letter to Consumers re Security Breach 1-07 February 2014 46 Easter Seal Society of Superior California-07 February 2014
  36. Catamaran-07 February 2014 48 Farmers and Merchants Trust Company of Chambersburg-07 February 2014
  37. Mymatrixx-07 February 2014 50 Home Depot letter to Comsumers re Security Breach-10 February 2014 51 The Freeman Company-10 February 2014 52 80s Tees Letter to Consumer re security Breach-11 February 2014 53 Embassy suites-11 February 2014 54 Fresenius Medical Care-11 February 2014 55 TD Bank 11 February 2014
  38. 56 Zevin Asset Mgmt Letter to Consumer re Security Breach-13 February 2014 57 MSPCC letter to Consumers re Security Breach-13 February 2014
  39. Carmike Cinemas, Inc.-13 February 2014 59 Experian letter to Consumers re Security Breach-14 February 2014
  40. Rubin Lublin, LLC 14 February 2014
  41. TD Bank Security Breach Notice-18 February 2014 62 Blue Shield of California-18 February 2014
  42. John Hancock Life & Health Insurance Company-18 February 2014 64 Department of Resources Recycling and Recovery-20 February 2014 65 Discover Financial Services-21 February 2014
  43. Alaska Communications Letter to Consumer re Security Breach-24 February 2014
  44. Merrill Lynch Wealth management-24 February 2014
  45. DST Systems, Inc.-24 February 2014 69 eScreen, Inc.-25 February 2014 70 The Variable Annuity Life Insurance Company-26 February 2014
  46. Mkenna Long & Aldridge-26 February 2014 72 Smucker letter to Consumers re Security Breach-27 February 2014
  47. L.A. Care Health Plan-27 February 2014
  48. ProAssurance Mid-Continent Underwriters, Inc.-27 February 2014 75 Sands Casino letter to Consumers re Security Breach-28 February 2014
  49. Digia USA, Inc.-28 February 2014
  50. ThermoFisher-28 February 2014 79 Capital One letter to Consumers re security breach-03 March 2014
  51. Timken Co Letter to Consumers re security breach-03 March 2014
  52. Assisted Living Concepts LLC Security Breach Notice- 03 March 2014 82 St. Joseph Health-03 March 2014
  53. Assisted Living Concepts Notice-05 March 2014 87 Oak letter to Consumers re security breach-06 March 2014 88 OANDA letter to Consumers re security Breach-12 March 2014 89 UCSF Family Medicine Center at Lakeshore-12 March 2014
  54. Silversage Advisors-13 March 2014 91 USAA letter to Consumers re security Breach-17 March 2014
  55. Arcadia Health Services, Inc. d/b/a Arcadia Home Care & Staffing-17 March 2014 93 Shelburne Country Store Notice to Consumers-18 March 2014 94 Auburn Univ letter to Consumers re Security Breach-19 March 2014 95 Discover letter to Consumers re Security Breach-20 March 2014
  56. Marian Regional Medical Center-20 March 2014 97 Sorenson letter to Consumers re Security Breach-21 March 2014
  57. Castle Creek Properties, Inc., dba Rosenthal the Malibu Estates-21 March 2014
  58. Human Resource Advantage-21 March 2014
  59. Palomar Health-28 March 2014 103 ITHAKA-31 March 2014
  60. RK Internet-31 March 2014 105 American Express Travel Related Services Company, Inc and /or its Affiliates ("AXP")-01 April 2014
  61. Susquehanna Health-01 April 2014
  62. American Health Information Management Association (AHIMA)-02 April 2014
  63. Citibank, N.A.-02 April 2014
  64. Cole Taylor Bank-03 April 2014
  65. Sutherland Healthcare Solutions-03 April 2014
  66. Logos Management Software, LLC-03 April 2014 114 Parallon-03 April 2014 115 Deltek Letter to Consumer re Security Breach-07 April 2014
  67. American Express Travel Related Services Company, Inc and /or its Affiliates ("AXP")-07 April 2014 117 City of Crossville, Tennessee-07 April 2014 118 FujiFilm-07 April 2014 119 CRL Letter to Consumer re Security Breach-08 April 2014
  68. StumbleUpon, Inc.-08 April 2014 121 LaCie USA-11 April 2014 122 Society for Science & the Public-11 April 2014 123 Wilshire Mutual Funds letter to Consumers re Security Breach-14 April 2014
  69. Mid Atlantic Professionals, Inc. DBA SSI-14 April 2014 125 Blue Cross and Blue Shield of Kansas City, Inc.-16 April 2014 126 Discover letter to Consumers re Security Breach-17 April 2014 127 Michaels press release re Security Breach-17 April 2014 128 VFW letter to Consumers re Security Breach-21 April 2014
  70. NCO FinancialRevSpring Inc letter to Consumers re Security breach-22 April 2014 130 Snelling letter to Consumers re Security Breach-22 April 2014
  71. L Brands, Inc.-23 April 2014 135 JCM Partners Letter to Consumer re Security Breach-24 April 2014
  72. Westlife Distribution USA, LLC-24 April 2014 137 CCC Letter to Consumer re Security Breach-25 April 2014
  73. Willis North America letter to Consumers re Security Breach-25 April 2014 139 Central City Concern-25 April 2014 140 Federal Home Loan Mortgage Corporation (Freddie Mac)-25 April 2014 141 Seterus-29 April 2014 142 Boomerang Tags-30 April 2014 143 UMass Memorial MC ltrt Consumer (Redacted) re Security Breach-05 May 2014 144 ground(ctrl)-05 May 2014
  74. Maschino, Hudelson & Associates-05 May 2014 146 Department of Child Support Services-06 May 2014 147 2014 Gingerbread Shed Letter to Consumer re security breach-07 May 2014
  75. Green's Accounting-07 May 2014
  76. Mercer HR Services, LLC-07 May 2014
  77. Entercom Portland, LLC-07 May 2014 151 PREIT-08 May 2014 152 Lowes Letter to Consumer re Security Breach-12 May 2014 153 Santander Bank, N. A.-12 May 2014
  78. Hubbard-Bert, Inc.-13 May 2014 155 University of California Irvine-14 May 2014 156 Precision Planting LLC-14 May 2014
  79. Discover Letter to Consumers re Security Breach-16 May 2014 158 Affinity Gaming-19 May 2014
  80. CoreLogic Saferent-21 May 2014
  81. Experian Letter to Consumer re Security Breach-22 May 2014
  82. San Diego State University-22 May 2014 164 CenturyLink-22 May 2014 165 Ebay-22 May 2014 166 Power Equipment Direct Security Breach Notice to Consumers-23 May 2014
  83. Service Alternatives, Inc.-27 May 2014 172 SHARPER FUTURE-28 May 2014
  84. American Express Travel Related Services Company, Inc. and /or its Affiliates ("AXP")-29 May 2014 174 American Express Travel Related Services Company, Inc and /or its Affiliates ("AXP")-02 June 2014 175 Kimpton-02 June 2014 176 Gordon Feinblatt LLC-02 June 2014
  85. Rowan Companies, Inc.-02 June 2014 178 Craftsman Book Company-03 June 2014 179 National Credit Adjusters letter to Consumers re Security Breach-05 June 2014 180 College of the Desert-09 June 2014
  86. AT&T Mobility, LLC -10 June 2014
  87. Stanford Federal Credit Union-11 June 2014
  88. Santa Rosa Memorial Hospital-12 June 2014 184 The Union Labor Life Insurance Company-12 June 2014 185 Ullico Inc.-12 June 2014
  89. AirBorn Letter to Consumers (Redacted) re Security Breach-13 June 2014 187 Riverside Community College District-13 June 2014
  90. David Stanley Dodge-16 June 2014
  91. American Express Travel Related Services Company, Inc and/or its Affiliates ("AXP")-17 June 2014 192 Specialized Eye Care-17 June 2014 193 The Metropolitan Companies Inc. Letter to Consumers re Security Breach-18 June 2014
  92. Bell Nursery USA, LLC-18 June 2014
  93. Rady Children's Hospital-San Diego-20 June 2014 198 University of California, Washington Center (UCDC)-20 June 2014 199 Primerica-20 June 2014
  94. Montana Department of Public Health Human Services Letter to Consumers re Security Breach-23 June 2014 201 Safety First -Non MA Notice Template with data elements-23 June 2014
  95. MileOne Letter to Consumers re Security Breach-23 June 2014 203 Giant Eagle Letter to Consumer re Security Breach-23 June 2014 204 Riverside County Regional Medical Center-24 June 2014 205 Butler University Letter to Consumers re Security Breach-26 June 2014
  96. Sterne, Agee & Leach, Inc.-26 June 2014 207 Legal Sea Foods Letter to Consumers re Security Breach-27 June 2014
  97. Benjamin F Edwards Letter to Consumer re Security Breach-27 June 2014
  98. Record Assist Letter to Consumers-27 June 2014 210 Invest Financial Corporation-27 June 2014 211 Baltimore School of Massage Therapy-27 June 2014 212 Seterus-27 June 2014
  99. Dennis East International, LLC-30 June 2014

Related papers

An Investigation of the Impact of Data Breach Severity on the Readability of Mandatory Data Breach Notification Letters: Evidence From U.S. Firms
Colm Fearon

Journal of the Association for Information Science and Technology, 2019

The aim of this paper is to investigate the impact of data breach severity on the readability of mandatory data breach notification letters. Using a content analysis approach to determine data breach severity attributes (measured by the total number of breached records, type of data accessed, the source of the data breach and how the data was used), in conjunction with readability measures (reading complexity, numerical intensity, length of letter, word size and unique words), 512 data breach incidents from 281 U.S. firms across the 2012-2015 period are examined. The results indicate that data breach severity has a positive impact on reading complexity, length of letter, word size and unique words, and a negative impact on numerical terms. Interpreting the results collectively through the lens of impression management, it can be inferred that business managers may be attempting to obfuscate bad news associated with high data breach severity incidents by manipulating syntactical features of the data breach notification letters in a way which makes the message difficult for individuals to comprehend. The paper contributes to the information studies and impression management behavior literatures, by analyzing linguistic cues in notifications following a data breach incident.

View PDFchevron_right
Towards a Model for Data Breaches: An Universal Problem for the Public
Robert Holtfreter

International Journal of Public Information Systems, 2014

The topic of data breaches, protection of information and data security salient to business and criminal justice researchers, practitioners in all profit and nonprofit organizations, consumer advocate groups and legislators throughout the world. This article analyzes the trends in data breaches in the United States and classifies them into five general industry sectors and eighteen sub-sectors using a new model recently developed by the authors and also provides basic recommendations for information and security personnel in every industry throughout the world to use to improve data protection and thus help protect public information for consumers and all types of organizations. The 2,280 data breaches tracked by the Privacy Rights Clearinghouse from 2005 through 2010 were used in the study. The findings indicate that the trends for the annual number of data breaches for the five general industries and their sub-sectors have increased, although inconsistently, over the six-year period. The analysis and classification of data breaches by general and sub-sector industries with the use of this new data breach model provides an awareness of the data breach problem for information managers and security personnel in public and private sector organizations throughout the world and also provides a workable methodological framework to help them develop innovative and useful policies for safeguarding personal information of consumers, clients, employees and other entities. The topic of data breaches and information management remains salient to business and criminal justice researchers, practitioners in all profit and nonprofit organizations, consumer advocate groups and legislators throughout the world.

View PDFchevron_right
More Than a Suspect: An Investigation into the Connection Between Data Breaches, Identity Theft, and Data Breach Notification Laws
Fabio Bisogni

Journal of Information Policy, 2020

This article investigates the relationship between data breaches and identity theft, including the impact of Data Breach Notification Laws (DBNL) on these incidents (using empirical data and Bayesian modeling). We collected incident data on breaches and identity thefts over a 13-year timespan (2005–2017) in the United States. Our analysis shows that the correlation is driven by the size of a state. Enacting a DBNL still slightly reduces rates of identity theft; while publishing breaches notifications by Attorney Generals helps the broader security community learning about them. We conclude with an in-depth discussion on what the European Union can learn from the US experience.

View PDFchevron_right
Data Breach Notification: Issues and Challenges for Security Management
Maria Karyda

MCIS, 2016

Several high-profile personal data breaches have triggered a discussion among privacy advocates, security practitioners, corporate managers and politicians on what role regulation should play in how companies and organisations protect data. The self-regulation paradigm fails to reinforce individuals' right to information and foster proactive risk management as incident-related information is communicated informally and on a voluntary basis. Lately (April 2016) the European Parliament adopted a reformed General Data Protection Regulation (GDPR) which regulates data breach notification. This paper analyzes the current status in information security incident management, describes the data breach notification mandate introduced by the GDPR and discusses its impact on the accountability and transparency of organisations, the amplification of the security function in organisations and the security market and the reinforcement of situational awareness. This paper also identifies enablers and barriers to compliance and highlights the key challenges that governments and organisations need to address for effective incident management, in the context of the new regulation paradigm.

View PDFchevron_right
The Effect of Data Breach Announcement on Customer Behavior: Evidence from a Multichannel Retailer
rishika rishika

Social Science Research Network, 2018

Data breach incidents have become increasingly common and businesses incur enormous costs to recover from such events. In this study, the authors assess the effects of a data breach announcement by a multichannel retailer on customer behavior. They exploit a natural experiment and use individual customer transaction data from the retailer to conduct a detailed and systematic empirical examination of the effects of a data breach announcement on customer spending and channel migration behavior. For the identification of the data breach announcement effects, the authors compare the change in customer behavior before and after the data breach announcement between two groups of customersa treatment group (customers whose information is breached) and a control group (customers whose information is not breached)using the difference-indifferences modeling framework. They find that the data breach results in a significant decrease in customer spending. However, there is a silver lining for the focal multichannel retailer as they find that customers of the firm migrate from the breached to the unbreached channels of the retailer. The findings further reflect that customers with a higher retailer patronage are more forgiving as the negative effects of the data breach announcement are lower for customers with a higher level of patronage. By leveraging data on individual customers' access to email communication from the retailer after the breach, the authors propose and empirically test for the role of customer data vulnerability as the behavioral mechanism that drives customer behavior subsequent to a data breach announcement. They perform a series of robustness checks (with alternative operationalization of variables, model specifications, and study time periods) and falsification tests to validate the findings. Based on the results, the authors offer prescriptions for managers on how to engage with customers following data breach announcements and elaborate on the role of multichannel strategy in absorbing negative demand shocks.

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved